- Notifications
You must be signed in to change notification settings - Fork1
Enterprise level of Parallelization SSH (Concurrency), Logon Penetration Testing.
License
AGPL-3.0, BSD-2-Clause licenses found
Licenses found
byt3n33dl3/thc-Hydra
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
(c) 2001-2024 by van Hauser / THCvh@thc.orgcontinued bybyt3n33dl3@pm.memany modules were written bydavid.maciejak@gmail.comBFG code by Jan Dlabaldlabaljan@gmail.com andSulaiman Azizbyt3n33dl3@pm.me
Licensed underAGPLv3
andBSD II
: see LICENSE file
Please do not use in military or secret service organizations,or for illegal purposes.(This is the wish of the author and non-binding. Many people workingin these organizations do not care for laws and ethics anyways.You are not one of the "good" ones if you ignore this.)
NOTE: no this is not meant to be a markdown doc! old school!
thc-Hydra in the most current github state can be directly downloaded viaDocker
:
docker pull byt3n33dl3/thc-Hydra
Number one of the biggest security holes are passwords, as every passwordsecurity study shows.This tool is a proof of concept code, to give researchers and securityconsultants the possibility to show how easy it would be to gain unauthorizedaccess from remote to a system.
THIS TOOL IS FOR LEGAL PURPOSES ONLY!
There are already several login hacker tools available, however, none doeseither support more than one protocol to attack or support parallelizedconnects.
It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris,FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS.
Currently this tool supports the following protocols:Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY,HTTPs-FORM-GET, HTTPs-FORM-POST, HTTPs-GET, HTTPs-HEAD, HTTPs-POST,HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener,Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin,Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5,SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth,VNC and XMPP.
However the module engine for new services is very easy so it won't take along time until even more services are supported.Your help in writing, enhancing or fixing modules is highly appreciated!! :-)
You can always find the newest release/production version of thc-Hydra at itsproject page atreleaseIf you are interested in the current development state, the public developmentrepository is at Github:svn corepoorgit clonerepoUse the development version at your own risk. It contains new features andnew bugs. Things might not work!
Alternatively (and easier) to can pull it as a docker container:
docker pull byt3n33dl3/thc-Hydra
To configure, compile and install thc-Hydra, just type:
./configuremakemake install
If you want the ssh module, you have to setup libssh (not libssh2!) on yoursystem, get it fromlibssh, for ssh v1 support you also needto add "-DWITH_SSH1=On" option in the cmake command line.IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew!
If you use Ubuntu/Debian, this will install supplementary libraries neededfor a few optional modules (note that some might not be available on your distribution):
apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \firebird-dev libmemcached-dev libgpg-error-dev \libgcrypt11-dev libgcrypt20-dev
This enables all optional modules and features with the exception of Oracle,SAP R/3, NCP and the apple filing protocol - which you will need to download andinstall from the vendor's web sites.
For all other Linux derivates and BSD based systems, use the systemsoftware installer and look for similarly named libraries like in thecommand above. In all other cases, you have to download all source librariesand compile them manually.
- All UNIX platforms (Linux, BSD, Solaris, etc.)
- MacOS (basically a BSD clone)
- Windows with Cygwin (both IPv4 and IPv6)
- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)
_ ___ _______ _____|||\ \ / / __\| __\ /\||__||\ \_/ /|||||__)| /\| __|\ /|||| _ / / /\ \||||||||__|||\ \ / ____\|_||_||_||_____/|_|\_\/_/\_\ L O G O N F O R C E R
If you just enterHydra
, you will see a short summary of the importantoptions available.Type./Hydra -h
to see all available command line options.
Note that NO login/password file is included. Generate them yourself.A default password list is however present, use "dpl4Hydra.sh" to generatea list.
For Linux users, a GTK GUI is available, try./xHydra
For the command line usage, the syntax is as follows:For attacking one target or a network, you can use the new "://" style:Hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONSThe old mode can be used for these too, and additionally if you want tospecify your targets from a text file, youmust use this one:
Hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]
Via the command line options you specify which logins to try, which passwords,if SSL should be used, how many parallel tasks to use for attacking, etc.
PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp,http-get or many others are availableTARGET is the target you want to attackMODULE-OPTIONS are optional values which are special per PROTOCOL module
FIRST - select your targetyou have three options on how to specify the target you want to attack:
- a single target on the command line: just put the IP or DNS address in
- a network range on the command line: CIDR specification like "192.168.0.0/24"
- a list of hosts in a text file: one line per entry (see below)
SECOND - select your protocolTry to avoid telnet, as it is unreliable to detect a correct or false login attempt.Use a port scanner to see which protocols are enabled on the target.
THIRD - check if the module has optional parametersthc-Hydra -U PROTOCOLe.g. thc-Hydra -U smtp
FOURTH - the destination portthis is optional, if no port is supplied the default common port for thePROTOCOL is used.If you specify SSL to use ("-S" option), the SSL common port is used by default.
If you use "://" notation, you must use "[" "]" brackets if you want to supplyIPv6 addresses or CIDR ("192.168.0.0/24") notations to attack:thc-Hydra [some command line options] ftp://[192.168.0.0/24]thc-Hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM
Note that everything thc-Hydra does is IPv4 only!If you want to attack IPv6 addresses, you must add the "-6" command line option.All attacks are then IPv6 only!
If you want to supply your targets via a text file, you can not use the ://notation but use the old style and just supply the protocol (and module options):thc-Hydra [some command line options] -M targets.txt ftpYou can also supply the port for each target entry by adding ":" after atarget entry in the file, e.g.:
foo.bar.comtarget.com:21unusual.port.com:2121default.used.here.com127.0.0.1127.0.0.1:2121
Note that if you want to attach IPv6 targets, you must supply the -6 optionandmust put IPv6 addresses in brackets in the file(!) like this:
foo.bar.comtarget.com:21[fe80::1%eth0][2001::1][2002::2]:8080[2a01:24a:133:0:00:123:ff:1a]
You have many options on how to attack with logins and passwordsWith -l for login and -p for password you tell thc-Hydra that this is the onlylogin and/or password to try.With -L for logins and -P for passwords you supply text files with entries.e.g.:
Hydra -l admin -p password ftp://localhost/Hydra -L default_logins.txt -p test ftp://localhost/Hydra -l admin -P common_passwords.txt ftp://localhost/Hydra -L logins.txt -P passwords.txt ftp://localhost/
Additionally, you can try passwords based on the login via the "-e" option.The "-e" option has three parameters:
s - try the login as passwordn - try an empty passwordr - reverse the login and try it as password
If you want to, e.g. try "try login as password and "empty password", youspecify "-e sn" on the command line.
But there are two more modes for trying passwords than -p/-P:You can use text file which where a login and password pair is separated by a colon,e.g.:
admin:passwordtest:testfoo:bar
This is a common default account style listing, that is also generated by thedpl4Hydra.sh default account file generator supplied with thc-Hydra.You use such a text file with the -C option - note that in this mode youcan not use -l/-L/-p/-P options (-e nsr however you can).Example:
Hydra -C default_accounts.txt ftp://localhost
And finally, there is a bruteforce mode with the -x option (which you can notuse with -p/-P/-C):
-x minimum_length:maximum_length:charset
the charset definition isa
for lowercase letters,A
for uppercase letters,1
for numbers and for anything else you supply it is their real representation.Examples:
-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters-x 2:5:/ generate passwords from length 2 to 5 containing only slashes-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers-x '3:3:aA1&~#\\ "\'<{([-|_^@)]=}>$%*?./§,;:!`' -v generates lenght 3 passwords with all 95 characters, and verbose.
Hydra -l ftp -x 3:3:a ftp://localhost/target
Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -mcommand line option, you can pass one option to a module.Many modules use this, a few require it!
To see the special option of a module, type:
Hydra -U
e.g.
./Hydra -U http-post-form
The special options can be passed via the -m parameter, as 3rd command lineoption or in the service://target/option format.
Examples (they are all equal):
./Hydra -l test -p test -m PLAIN 127.0.0.1 imap./Hydra -l test -p test 127.0.0.1 imap PLAIN./Hydra -l test -p test imap://127.0.0.1/PLAIN
- sort your password files by likelihood and use the -u option to findpasswords much faster!
- uniq your dictionary files! this can save you a lot of time :-)cat words.txt | sort | uniq > dictionary.txt
- if you know that the target is using a password policy (allowing usersonly to choose a password with a minimum length of 6, containing a least oneletter and one number, etc. use the tool pw-inspector which comes alongwith the thc-Hydra package to reduce the password list:cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt
The results are output to stdio along with the other information. Via the -ocommand line option, the results can also be written to a file. Using -b,the format of the output can be specified. Currently, these are supported:
text
- plain text formatjsonv1
- JSON data using version 1.x of the schema (defined below).json
- JSON data using the latest version of the schema, currently thereis only version 1.
If using JSON output, the results file may not be valid JSON if there areserious errors in booting thc-Hydra.
Here is an example of the JSON output. Notes on some of the fields:
errormessages
- an array of zero or more strings that are normally printedto stderr at the end of the thc-Hydra's run. The text is very free form.success
- indication if thc-Hydra ran correctly without error (NOT ifpasswords were detected). This parameter is either the JSON valuetrue
orfalse
depending on completion.quantityfound
- How many username+password combinations discovered.jsonoutputversion
- Version of the schema, 1.00, 1.01, 1.11, 2.00,2.03, etc. thc-Hydra will make second tuple of the version to always be twodigits to make it easier for downstream processors (as opposed to v1.1 vsv1.10). The minor-level versions are additive, so 1.02 will contain morefields than version 1.00 and will be backward compatible. Version 2.x willbreak something from version 1.x output.
Version 1.00 example:
{"errormessages": ["[ERROR] Error Message of Something","[ERROR] Another Message","These are very free form"],"generator": {"built": "2021-03-01 14:44:22","commandline": "thc-Hydra -b jsonv1 -o results.json ... ...","jsonoutputversion": "1.00","server": "127.0.0.1","service": "http-post-form","software": "thc-Hydra","version": "v9.6"},"quantityfound": 2,"results": [{"host": "127.0.0.1","login": "bill@example.com","password": "bill","port": 9999,"service": "http-post-form"},{"host": "127.0.0.1","login": "joe@example.com","password": "joe","port": 4444,"service": "http-post-form"}],"success": false}
through the parallelizing feature, this password cracker tool can be veryfast, however it depends on the protocol. The fastest are generally POP3and FTP.Experiment with the task option (-t) to speed things up! The higher - thefaster ;-) (but too high - and it disables the service)
Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing295 entries (294 tries invalid logins, 1 valid). Every test was run threetimes (only for "1 task" just once), and the average noted down.
P A R A L L E L T A S K SSERVICE14816325064100128------- --------------------------------------------------------------------telnet23:205:582:581:341:050:330:45*0:25*0:55*ftp45:5411:515:543:061:250:580:460:290:32pop392:1027:1613:566:422:551:571:241:140:50imap31:057:413:511:581:010:390:320:250:21
(*)Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with128 tasks, running four times resulted in timings between 28 and 97 seconds!The reason for this is unknown...
guesses per task (rounded up):
295743819106533
guesses possible per connect (depends on the server software and config):
telnet4ftp6pop31imap3
thc-Hydra:Email me or David or Sulaiman if you find bugs or if you have written a new module.vh@thc.org orbyt3n33dl3@pm.me (and put "antispam" in the subject line)
You should usePGP to encrypt emails tovh@thc.org
About
Enterprise level of Parallelization SSH (Concurrency), Logon Penetration Testing.