Sunteți pe pagina 1din 18



Brute Forcing With Hydra-gtk
Sniffing VoIP Calls With Wireshark
Havij SQL Injection Tool
FOCA For Metadata Analysis

Brute forcing
Hydra-gtk (linux)

Using Hydra to dictionary-attack
Hydra is an online password cracking tool which can be used to dictionary-attack various services
by trying lists of user-names and passwords until a successful login is found. It is multi-threaded,
and can be very fast, trying username/password combinations at a rate of thousands per minute.

Hydra can be used to attack many different services including IMAP, SMB, HTTP, VNC, MS-SQL
MySQL, SMTP, SSH, and many more.

(Hydra is to online-cracking of passwords, what John The Ripper is to offline-cracking of password

Often, web-based login forms authenticate using the HTTP POST method, but judging from
several blogs I have read on this subject, it sounds like some people have great difficulty in getting
Hydra to work effectively in this situation.

I have had a great deal of success with hydra, so here I describe how to get Hydra working with
web-based form logins.

This attack is not limited to websites, and I would argue that it is more suited for gaining login
access to software products that have a web UI, for example in penetration tests.

This tool should not be used to attack websites or services where you do not have permission to
do so. Use this for legitimate testing purposes only.

Some differences between online and off-line password cracking

There are significant differences between online and off-line password cracking.

With off-line cracking, you have the hashes on your system, they are static, and you can try
dictionary, hybrid, and brute force attacks to you hearts content. You have as long as you want,
and you can try many billions of attempts in a short space of time.

The attack success is purely dependent on password strength, verses processor-power and time
(and few user-chosen passwords will be strong enough to last).

With online password attacks there are more issues to consider, such as; network bandwidth,
account lockouts, tar-pitting, changing passwords, detection in logs and IDS.

Online attacks are more suited to relatively small and focused dictionary attacks rather than
exhaustive brute-force.

A simple Hydra SSH example

Here is a simple example of running a Hydra attack against an SSH server.

hydra ssh2 -s 22 -P pass.txt -L users.txt -e ns -t 10

This will attack the system, on port 22 with the SSH protocol, 10 threads at a time,
and try all the combinations of usernames and passwords supplied in the files user.txt and pass.txt
(+ empty passwords and passwords the same as the username)

This can take a while, so it is best to only use usernames you know exist, and a relatively small list
of passwords (many thousands rather than many millions). This attack generally works very well
for simple dictionary passwords.

Web-based login forms prerequisites

For web-based forms, you have to know much more information about the form you are attacking
before you start the attack. Every web-based form is slightly different, different URLs and
parameters, and different responses for success or failure.

You need to know:
The hostname/IP and URL
Whether it is a HTTPS or HTTP service
Whether the form supports GET or POST (or both)
The parameters of the request
The difference in response between success and failure
Whether any session cookies are required to be set or maintained
What lockout features and thresholds are enabled (if any)
Not knowing or understanding the above information can be a big cause of failure.

For the parameters of the request, you can intercept and examine a normal login attempt with a
web proxy (such as owasp-zap, webscarab or burpsuite) or use a browser plugin (such as
tamperdata) or just look at the HTML form.

An example attack

Type xhydra into the terminal (it will be inbuilt for kali linux & backtrack)

Allocate username of victim and locate the wordlist (eg. Darkc0de.lst) to brute force.

Sniffing VoIP Calls With Wireshark

VoIP phones are implemented in every major organization and they are providing an attack surface
for every malicious user thats knows the basics of hacking. If there is no encryption in the
communication media then an attacker could eavesdrop phone conversations which might impact
the business in case that calls are classified as confidential.
A pentester should be able to identify if eavesdropping is possible on the voice network via the
following technique.
ARP Poisoning

The first step before implementing a Man-in-the-Middle attack is to enable IP forwarding in order to
be able to route traffic from your system to the gateway with the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

Now you can perform a Man-in-the-Middle attack in order to be able to intercept VoIP traffic. This
can be achieved really easy with the command below:
Capturing and Decoding VoIP Traffic

Now that the traffic is being routed to your box you can use Wireshark in order to sniff any SIP
traffic. We are particularly interested for the RTP packets as they contain the actual conversation of
a VoIP call.

RTP Traffic

Wireshark contains a built-in utility called VoIP calls which can decode RTP data into a playable
audio format.

Decoding RTP Traffic-Wireshark


As we saw it is very easy and fast to eavesdrop a phone call conversation just by performing a
MiTM attack and having a tool like wireshark to sniff the traffic. In a VoIP assessments pentesters
should try to implement this attack in order to identify if eavesdropping is possible. To prevent this
attack companies should use the SRTP which is a secure protocol and provides encryption of the
data being transferred so even if an attacker is able to capture the call it will be difficult to decrypt
the data and to listen the message.

Havij SQL Injection Tool

1) Run the program and paste the vulnerable link in target box.

2) Before you paste your target in this target as got to be vulnerable otherwise this isnt going
to work and must be SQL vulnerable i will also make a tutorial on how to find if the website
is SQL vulnerable usually if you find the website is vulnerable you will need to find a page
on the website which as a little number on the end for example mine is id=205 this is you
injection now you should click on analyze next to your target site

3) It would start sending feedback and messages, show some patience and wait for about a

4) Then move to another operation, go to tables and wait for 5minutes until this operation has

5) After finding tables, click on to users for admin password and also be sure to click get the

6) Now tick username and password, and click get data.

7) Yes! Got the Id and password as you can see below, now we just need to crack the hashes.

8) Now we have to paste the hash into md5 hash menu for crack.

9) Finally you can see below, we have cracked the password through havij.

10) Now we can control the webpage by entering id and password easily.

FOCA is an excellent website reconnaissance tool with lots of interesting features and
capabilities. Remember, before attacking any website or domain, it is critical to gather as much
information as possible. From this information, you can determine the attack that is most likely to
work against that site or network.

This metadata can give us insight into such information as the users (could be critical in cracking
passwords), operating system (exploits are OS-specific), email addresses (possibly for social
engineering), the software used (once again, exploits are OS-, and more and more often,
application-specific), and if we are really lucky, passwords.

Step 1: Download FOCA for Windows

Step 2: Choose Where You Save Results
When you install FOCA, you will greeted with a screen like that below. The first task we need to do
is to start a new project and then tell FOCA where we want to save our results.

I created a new directory at c:\foca and will save all my results there. Of course, you can save your
results wherever is convenient for you, or use the default temp directory.

Step 3: Create a Project
In this tutorial, I will be starting with a project named after the information security training
company, SANS, which is located at, and I will be saving my results to c:\foca.

Step 4: Getting the Metadata

Once I create my project, I can go to the object explorer to the far left and select Metadata. This
enables us to pull the metadata from the files on the website that contain metadata. Files such as
.pdf, .doc, .xls, etc. all contain metadata that could be useful in your hack of your target.

When you select metadata, you will pull up a screen like that below. In our case here, we will be
searching for .doc files, so the syntax to be placed in the search window is: filetype:pdf

This will search the entire website, looking for .doc files. When I hit the Search button
next to the window, it will begin to search and find all the .pdf files at
Of course, if you were searching for .pdf files or other filetypes, you would put in that filetype. You
can also search for multiple filetypes by listing them after filetype, such as: filetype:pdf,doc,xls

Step 5: Download the Files
Once FOCA is done retrieving a list of all the .doc files, we can then right-click on any file and
download the file to our hard drive, download all the files, or analyze the metadata. I chose to
download all the .doc files I found at
Step 6: Collect & Analyze the Metadata

Now that we have downloaded all the .doc files, I chose to analyze all the metadata in them.
Microsofts Office files collect significant amounts of data as they are being created and edited that
we can then extract.

When we expand the Metadata folder in the object explorer, you can see that we have 156 .doc
files and 2 .docx files.

The Types of Metadata Collected
Just beneath the Metadata documents folder is another folder titled, Metadata Summary. We can
click on it and it reveals the type of metadata is has collected from the files. This metadata is
broken into eight (8) categories:

1. Users
2. Folders
3. Printers
4. Software
5. Emails
6. Operating Systems
7. Passwords
8. Servers

Lets take a look at Users first. When we click on users, we can see that FOCA has collected the
names of every user that worked on those files.

When we click on Software, we can see the various editions of Microsoft Office that has been
used, including nineteen (19) users that created their documents with Office 03

We can also look for email addresses that are embedded in the documents as displayed below.
Obviously, these folks are making themselves available to a social engineering attack.

We can also gather printer, folder, passwords, and servers from this metadata depending upon the
documents we recover. All of this information can then be used to determine what the best attack
against this organization/website is.


Using these simple methods can protect your business and your peace of

1. Establish strong passwords
2. Put up a strong firewall
3. Install antivirus protection
4. Update your programs regularly
5. Secure your laptops
6. Secure your mobile phones
7. Backup regularly
8. Monitor diligently
9. Be careful with e-mail, IM and surfing the Web
10. Educate your employees