H y d r a
(c) 2001-2004 by Van Hauser / THC
Ver 4.5Hydra 4.5 Chinese Instructions (I specifically added several examples, this illustration is the translation)
Term: freexploit
Author: AlLeesno
Date: 2005-1-22
1. Preface ------------ Device according to password security research shows that many security vulnerabilities have a password based on a password. This tool (HYDRA) is used to prove the security researchers and security advisers. That is the access to the illegal access to a remote system is a little and easy to say. Here again to the security enthusiasts (translator: including hackers, white guests, red guests, green guests) Please legal Use! ! ! If you want to use this tool in business use, please refer to the license agreement (Translator: license inside the source code compressed file)
There are many remote crack tools on the Internet, but no one can support multiple protocols or support parallel protocols. (Translator: paallized is a new noun, I translated into parallel)
Currently, the tool supports the following cracks: Telnet, FTP, HTTP, HTTPS, HTTP-Proxy, LDAP, SMB, SMBNT, MS-SQL, Mysql, Rexec, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP / R3 , Cisco Auth, Cisco Enable, SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA.
Regardless of how new service module engine written is very easy, even after supporting more services will not cost too much time. Plan to support: SSH V1, Oracle and even more. We also appreciate people who help to write these modules: )
2. How to compile (Linux / UNIX) ------------ Enter ./configure then Enter ./configure then enter make and make install if you have cygwin, you can also follow ./configure Run the prompt to go. On the handheld, enter ./configure-palm Enter .configure-ARM on the ARM processor .configure-ARM
3. Support platform for this tool ------------ All UNIX platforms (Linux, * BSD, Solaris, etc.) Mac OS / X operating system installed Cygwin's Windows operating system (including IPv4 and IPv6) Mobile system ARM processors and Linux (eg Zaurus, IPAQ) Pocket computer system
4. How to use ------------ Enter ./configure and enter Make in the command line to compile the Hydra compilation completion ./hydra -h to view the command line parameter You can also enter Make Install is installed to install Hydra in / usr / local / bin directory Note: We don't provide dictionary files, you can create a weak mouth dictionary or download the hacking dictionary from the Internet For Linux users, GTK is to use. Please enter ./xhydra
5. Special parameter module --------------------------- through the third command line parameter (Target Service Optional) or -m parameter, you You can pass a parameter to the module. In fact, there is only a few part of the module to be like this. The following is a list of these modules:
Service module selectable parameters ============================================= =================== WWW / http / ssl / https Specifies the page that needs to be verified (must be specified) "/ secret" or "http://bla.com/foo/ Bar "or" https://test.com:8080/members "These methods are valid http-proxy specified pages that need to be verified (optional, the default is http://www.suse.com/)
SMBNT Value [L, LH, D, DH, B, BH] (must be specified) (L) Detect local account, (d) domain account, (b) any one (h) uses NTLM Hashes test password
LDAP specifies DN (optional, you can also specify DN using the -l parameter)
Cisco-enable specifies the login password of Cisco equipment (must be specified)
SAPR3 Specifies the client ID, a number between 0-99
Telnet If you use the default Telnet password to crack multiple failed, you can also specify a string (slow status) after the Telnet login success (this is optional)
The following example demonstrates how to use the WWW module to pass the webpage to verify: Hydra -l jdoe -p / tmp / passlist www.attack.com http / members / below: HYDRA -M / MEMBERS / -L JDOE -P / TMP / Passlist www.attack.com HTTP Another example: hydra -m lh -l administrator -p Sam.dump nt.microsoft.com There is also an example: HYDRA -L Gast -P Gast -m 6 -s 3200 SAPR3 .sap.com Sapr3 or this also: Hydra -l Blared "Welcome Hacker"
6. Breakpoint crack --------------------------- When you use Ctrl C to stop HYDRA's crack, he will resume the recovery The information is recorded in the Hydra.Restore file to make it easy for you to break from the interrupt point. HYDRA is recorded once every 5 minutes. Note 1: When you use the -m parameter to crack more than two host passwords This feature will be automatically turned off. Note 2: Hydra.Restore breakpoint Recovery Crack files Can not be used on different system platforms (Translator: Strange rule authors are quite lazy, do not engage in file format switches huh)
7. How to use the proxy server to crack ---------------------------- HYDRA_PROXY_HTTP variable parameters can be used to define proxy servers (only HTTP can only be used agent) syntax: HYDRA_PROXY_HTTP = "http://123.45.67.89:8080/" HYDRA_PROXY_CONNECT = proxy.anonymizer.com: 8000 If you use a proxy requires a user name and password, please use HYDRA_PROXY_AUTH variable parameters: HYDRA_PROXY_AUTH = "the_login: the_password" 8. Other use skills ---------------------------- * Uniq Your Dictionary Files! This Can save you a lot of time: - ) * Remove your duplicate words in your dictionary, which makes you save a lot of time. (Translator: Linux 's UNIQ command to see http://www-900.ibm.com/developerWorks/cn/linux/l-tip-prompt/l-tiptex6/index.shtml) Cat Words.txt | Sort | Uniq> Dictionary.txt * If you know the password of the other party, you can only allow the minimum length of 6, including at least one letter and numbers, etc., you can use the PW-Inspector tool inside the HYDRA compressed package to password dictionary Reduced. Cat Dictionary.txt | PW-inspector -m 6 -c 2 -n> passlist.txt
9. You will never see parameters in Hydra --------------------------------- in this section Listing Some of the parameters that never appear in Hydra and explains? Fill in the login name and password Follow the standard input (for example, John) # This parameter will not be implemented in Hydra, the reason has two a) breakpoints Function B) Multiple goals cannot run normally, such as these factors that are normal functionality, I don't write these parameters
10. Speed ---------------------------- Due to the parallel computing function of the tool, the crack speed can be more accelerated than the process. Speed: POP3 > Ftp> telnet> IMAP can speed up the speed by adjusting the -t parameter, the greater the parameter value, the faster the crack speed, but to prevent the rejection service.
11. Test reference ---------------------------- Running system: SUSE Linux 7.2 Using -c file parameters a total of 295 login attempts (294 Error login, 1 success) Each different cases have been tested three times (only one thread test only once) the average record is as follows:
Parallel thread service 1 4 8 16 32 50 64 100 128 ------------------------------------- ------------------------------------- Telnet 23:20 5:58 2:58 1:34 1:05 0:33 0: 45 * 0: 25 * 0: 55 * ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32pop3 92:10 27 : 16:24 0:21 0:21 0:21 0:21 0:21
(*) Note: When we see the Telnet's crack consumption, when using 64 threads and 128 threads, we have tested four times when using 128 threads. It consumes 28 seconds to 97 seconds. The reason has not been identified so far.
12. Error Report & Suggestions --------------- If you find this software vulnerability or write some new modules to send us: vh@thc.org
Type Bits / KeyID Date User IDpub 2048 / CDD6A571 1998/04/27 van Hauser / THC
Syntax: Hydra [[[-l login | -l file] [-P pass | -p file]] | [-c file]] [-e ns] [-o file] [-t task] [-m file [-T tasks]] [-W Time] [-f] [-s port] [-s] [-vv] server service [opt]
parameter list:
-R Restores the previous stop crack progress, continue to crack-SL connection-SL connection-Sl, the service, the DEFINE ITHERE-S port number here, customly customizes the port number to be cracked (replace the default port) ) -l login or -l file login with login name, or load several logins from file-l login name or -l dictionary Using login name or acquisition of login list from dictionary -P pass or -p file try password pass, or loading Several Passwords from file-p password or -p dictionary uses a single password or obtains a password list from the dictionary, N is an empty password, and S is trying to use a password to crack -C File Colon SEPERATED "login: pass" format Instead of -l / -p options-c file uses a colon segmentation format, for example, "Login Name: Password" instead of the -L / -P parameter -m file server list for Parallel Attacks, One Entry Per Line-M file server list ( Translator: IP list), one-line-O file write found login / password pairs to file instead of stdout-o file Write the password to write in the file instead of the output to the screen -f after using the -m parameter When the first pair of login or passwords, the crack is stopped - Tasks Run Tasks Number of Connects in Parallel (Default: 16) -t Plan Task runs several tasks (default: 16) -w Time defines the max wait time in Seconds for Responses (Default: 30) -w Time Define Timeout Second (Default: 30) -V / -V Detailed User Name or Password Crack Process Server The Target Server (Use Either this or the -m Option) Server server target (translator: is you want Host crack passwords) (you can also use the parameter to specify the -M) service the service to crack Supported protocols:. [Telnet ftp pop3 imap smb smbnt http httpshttp-proxy cisco cisco-enable ldap mssql mysql nntp vnc socks5 rexec snmp cvs icq pcnfs SAPR3 SSH2 SMTP-Auth] Opt Some Service Modules Need Special Input (See Readme!) OPT Some Service Modules require special syntax input (see 5. Special parameter module): Hydra -l login -p / tmp / Passlist 192.168.0.1 ftp login is the user name to be crack, passlist is a password dictionary library
Hydra -l login -p passfile 192.168.0.1 SMB login is the login name to be crack, passfile is a password dictionary library, SMB operating system login password crack
FreexPloit: AlLyleNO
Postscript: 1.Hydra's meaning of the dictionary is the nine snake
2. The translation of the translation will be, someone can help me correct it? Options you will never see in Hydra ---------------------------------- - in this section I put feature request Which I will never implement withinhydra - and why feeding login / passwords from stdin (eg from john) # This will not be implemented as it would not be possible to use with a) the restore functionality and b) multiple targets workarounds for b).? Would Be Possible HoWever Ugly Hacks Which Would Sometimes Not Work. As this feature Will the the the the ...===================================== ======================================= ======== Hydra (c) 2001-2004 BY Van Hauser / THC
INTRODUCTION ------------ Number one of the biggest security holes are passwords, as every passwordsecurity study shows.This tool is a proof of concept code, to give researchers and securityconsultants the possiblity to show how easy it would be to gain unauthorizedaccess from remote to a system.THIS TOOL IS FOR LEGAL PURPOSES ONLY! FOR USING THIS TOOL COMMERCIALLY, SEE THE LICENCE FILE! There are already several login hacker tools available, however none doeseither support more than one protocol to attack or support parallizedconnects.Currently this tool supports: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP / R3, Cisco auth, Cisco enable, SMTP-aUTH, SSH2, SNMP, CVS, Cisco AAA.However the module engine for new services is very easy so it will not take along time until even more services are supported.Planned are: SSH V1, Oracle and more.Your help in Writing these Modules is highly appreciated !! :-) How to compile- ------------- Type "./configure" and then "make" and "make install" .IF you have cygwin, you have to follow the instructions "./configure" Printsafter Running.for Palmpilot, Run "./configure-palm".for arm processor mobile, run" ./configure-arm ". Supported platforms ------------------ All UNIX Platforms Linux, * BSD, Solaris, ETC.) Mac OS / XWindows with cygwin (Both IPv4 and IPv6) Mobile Systems with arm Processors and Linux (Eg Zaurus, iPAQ) Palmos How To Use -------- Type "./configure", FOLLOWED by "make" to compile hydra and death "./ hydra -h" to see the command line options.you make also type "make install"
To Install Hydra To /us R / DOCAL/Bin.note That No login / password file is inclished. Generate Them Yourself.for Linux Uses, a gtk gui is available, try "./xhydra" Special Options for modules ----- ---------------------- Via the Third Command Line Parameter (Target Service Optional) or the -mcommandline option, you can pass one option to a module.only Some Modules Actually Use this, a Few Require this.here Is The Complete List: Service Module Optional Parameter ================================ ========================================== www / http / ssl / https specifies the page to authentication at (required) Value CAN be "/ secret" or "http://bla.com/foo/bar" "https://test.com:8080/members"
Http-proxy specifies the page to authentication at (optional, default http://www.suse.com/)smbnt value [l, lh, d, dh, b, bh] (l) Check local accounts ( D) Domain Accounts, (B) Either (H) interpret passwords as NTLM hashesldap specifies the DN (OPTIONAL, you can also specify the DN as login with -l) cisco-enable specifies the logon password for the cisco device (REQUIRED) sapr3 specifies the client id, a number between 0 and 99 (REQUIRED) telnet specified the string which is displayed after a successful login (case insensitive), use if the default in the telnet module produces too many false positives (OPTIONAL) An example for how TO Use this with the www module to hand over the web pageto authenticate to: hydra -l jdoe -p / tmp / passlist www.attack.com http / members / is the Same Like: Hydra -m / Members / -l JDOE - P / TMP / Passlist WW W.attack.com httpother example: hydra -m lh -l administrator -p Sam.dump nt.microsoft.com smbntstill Other Example: Hydra -l Gast -p Gast -m 6 -s 3200 Sapr3.sap.com Sapr3or Hydra - L Blane "Welcome Hacker" restoring an aborted / crashed session ------------------------------------------------------------------------------------------------------------------------------------- ----- When Hydra Is Aborted with Control-C, Killed Or Crashs, IT Leavs a "Hydra.Restore"
. File behind which contains all necessary information torestore the session This session file is written every 5 minutes.NOTE: if you are cracking parallel hosts (-M option), this feature doesntwork, and is therefore disabled NOTE:! The hydra.restore file CAN not be copied to a different platform (egfrom little indian to big indian, or from solaris to aix) How to scan / crack over a proxy ------------------- ----------- The environment variable HYDRA_PROXY_HTTP defines the web proxy (this worksjust for the http / www service!) The following syntax is valid:. HYDRA_PROXY_HTTP = "http://123.45.67.89:8080/ "for all other services, use the HYDRA_PROXY_CONNECT variable to scan / crackvia a web proxy's CONNECT call It uses the same syntax eg:.. HYDRA_PROXY_CONNECT = proxy.anonymizer.com: 8000If you require authentication for the proxy, use the HYDRA_PROXY_AUTHenvironment variable: HYDRA_PROXY_AUTH = "THE_LOGIN: THE_PASSWORD" Additional Hints ---------------- * Uniq Your Dictionary Files! This Can save you a lot of time :-) cat words.txt | sort | uniq> dictionary.txt * if you know that the target is using a password policy (allowing users only to choose password with a minimum length of 6, containing a least one letter and One Number, etc. Use the Tool Pw-inspect Which comes Along with the Hydra package to reduce the password list: cat Dictionary.txt | PW-inspector -m 6 -c 2 -n>
Passlist.txt Options you will never see in Hydra ---------------------------------- in this section I put feature request which I will never implement withinhydra -.? and why feeding login / passwords from stdin (eg from john) # This will not be implemented as it would not be possible to use with a) the restore functionality and b) multiple targets workarounds for b) would be possible however ugly hacks which would sometimes not work. As this feature will therefore will not fit the other standard functionality, you will never see it here. SPEED ----- through the parallizing feature, this password cracker tool Can Be Veryfast, However It Depends on the protocol. The fastest is generally pop3, the ftp, the telnet, and the least imap.experiment with the task option (-t) to speted thinks up! the higher - thefaster ;-) ( But Too High, And It Disables The Service) Statistics ---------- Run Against a SUSE Linux 7.2 on localhost with a "-c file" containing 295 Entries (294 Tries Invalid logins, 1 Valid). Every Test Was Run Threeetimes (Only for "1 Task"
Just overce, and the average noted Down. Parallel Task sService 1 4 8 16 32 50 64 100 128 --------------------------- --------------------------------------------- Telnet 23: 20:5:58 0:33 0: 45 * 0: 25 * 0: 55 * ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0: 32pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0: 50imap 31:05 7:41 3:51 1:58 1:01 0: 39 0:32 0:25 0:21 (*) Note: Telnet Timings Can Be Very Different for 64 to 128 Tasks! Eg with128 Tasks, Running Four Times Resulted in Timings Between 28 and 97 seconds! The reason for this is unknown. .. Guesses per task: 295 74 38 19 10 6 5 3 Guesses Possible Per Connect (Depends on the Server Software and Config): Telnet 4 FTP 6 POP3 1 IMAP 3 BUGS & FEATURES -------- --------- Email me if you find bugs or if you have written a new module.vh@thc.org Type Bits / Keyid Date User IDPUB 2048 / CDD6A571 1998/04/27 Van Hauser / THC
