How to brute-force web-based authentication systems with THC-Hydra
Tutorial provided by
Keeper |
Brief Introduction
Hey guys. I decided to make one. We gonna use the UNIX distribution of THC-Hydra and I'll go through some of its main features and different attack methods.
I. How to install
First you’ll need Backtrack, of course. You can either run it in virtualization on a virtual machine like VMware or Virtualbox. I will not cover how to boot Backtrack, there have already been lots of tutorials on the net.
Now I suppose most of you know how to run it but nevertheless I included a guide for the installation process under Backtrack 5R2 (or any unix based system as a whole).
Open up a terminal and type:
Code:
wget http://freeworld.thc.org/releases/hydra-6.3-src.tar.gz
Once downloaded going to extract it
Code:
tar -xvf hydra-6.3-src.tar.gz
Now configuring and installing
Code:
./configure && make && install
Code:
make install
II. How to use
Note: If you are attacking FTP service then first make sure to run an nmap scan for any open FTP ports (by default it should be 21)
Now in order to brute-force a specific login form you need to define the username (if you don't know it include a file containing some), the wordlists directory, the service attacking and form method and the page itself.
Specifying those parameters the attack would look like:
Code:
./hydra -l admin -P /root/Words.txt site.com http-post-form "/login.php&username=^USER^&password=^PASS^"
The -l switch defines the username and the capital -L - a list of usernames for the brute-force attack (if you don't know the login).
The -p switch defines the password and the capital -P - the directory for the wordlists ( the -P is used almost always)
If we're attacking a web form over http and the method is post then we use "http-post-form" if the service is FTP simply use "ftp".
Another thing you should be aware of is that the variables username and password are not always the same. They different depending on the code.
They could be usr, pwd etc - it's not necessarily for them to be as in most cases "username" & "password". Just view the source and make sure what their names are.
Now there are a lot more options of Hydra. I'll explain some of them below no matter that they are included in the MAN page of hydra
-vV - The verbose mode. This mode shows you every login attempt hydra tries.
-s - We specify the port on which we're running our attack.
-x - For brute-force parameters generation. We define our charset and minimum & maximum length of it.
-R - Restores a previously aborted session of an attack.
-e ns - Checks for blank or no password fields.
So an example of an advanced attack would look like:
Code:
./hydra -L /root/usernames.txt -P /root/HugeDB.txt -e ns -vV -s 80 site.com http-post-form "/login.php&username=^USER^&password=^PASS^
I hope this tutorial will be implemented for good (OK - evil :D) purposes.
Thanks for reading!