🛠 Hydra for target targeting

Salute,

Today we’ll look at a tool that will always be at hand and you can use it to test services for security credentials for web applications, APIs and infrastructure, both in a simple format and in a more narrowly focused manner (dogs: but you can use xhydra for a mini interface).

THC Hydra is a tool for brute force, in fact it is a search for credit to services. License type: GNU Affero General Public License (AGPL). Used for security audits, checking password strength, testing authentication systems. It can, if desired, lead to DoS, depending on your “powers”.

Protocol support

• Web applications: HTTP/ HTTPS Basic/ Digest auth, login forms (http-post-form, https-post-form)

• Infrastructure: SSH, FTP, RDP, SMB, VNC, Telnet, SNMP, Redis, RDP

• Services: SMTP, POP3, IMAP, LDAP

• Databases: MySQL, PostgreSQL, Oracle

Command structure

hydra [options] -l LOGIN | -L login_file\

-p PASSWORD | -P password_file\

-t STREAMING ... \

PROTOCOL://HOST[:PORT][/PATH]

# SSH to user

$ hydra -l root -P /usr/share/wordlists/rockyou.txt -t 6 ssh://192.168.1.123

# FTP

$ hydra -L users.txt -P passwords.txt ftp://10.0.0.5

#RDP

$ hydra -l admin -P /path/to/rdp_pass.txt -V rdp://192.168.1.50

# HTTP Basic auth with http-get/ http-head modules

hydra -L users.txt -P passwords.txt -s 8080 http-get://target.local/protected

#CSRF

hydra -L users.txt -P passwords.txt target.com \

http-post-form "/login:username=^USER^&password=^PASS^&submit=Login:F=Invalid credentials"

Features

• Parallel threads and the ability to manage them, which solves a large number of problems

• Work via proxy (SOCKS, HTTP)

• SSL/TLS support

• Customizable timeouts, delays, brute force strategy (vertically by password, horizontally by logins)

• Flexible configuration of delays, timeouts, HTTP form formats, headers, etc.

• Separate tool pw-inspector for filtering and generating dictionaries, including reuse

Example

# Proxying and bypassing rate limits

hydra -L users.txt -P passwords.txt \ # -L and -P - dictionaries

-s 443 -S \ # port 443 with SSL/TLS (HTTPS)

-e ns \ # try empty password and login password

-W 3 -f \# delay 3 seconds between new connections and -f stop after first success

-V\# verbose output

-o found.txt \ # output data

-x -I \ # special brute force mode and ignore warnings

-u \# across all users for one password, then for another

http-post-form "https://target.com/login:username=^USER^&password=^PASS^:F=Login failed"

Total: it is convenient as a low-level search with a wrapper in scripts and Makefile. Hydra allows you to quickly find weak passwords on SSH, RDP, web logins, databases and other services using wordlists and attack scripts. It is especially important that the tool requires a good understanding of the protocols and mechanics of HTTP forms, etc., otherwise you can get false results.

#appsec #toolchain #dast #secrets