Hydra for cracking online web portals, ssh and ftp ports
For this section I’ll cover two examples using hydra - both will be instances I’ve used in exploits from various CTFs
First, some of the basic flags used with hydra:
- You need a username:
-l adminfor a single username OR-L usernamelist.txtfor a list of possible usernames - You need a password to run against the username(s):
-p aSinglePasswordOR-P /usr/share/wordlists/rockyou.txtthe latter option being more common - You need the IP address or URL you are targeting, for example:
10.10.188.175 - If you need to designate a non-default port:
-s [port#] - The type of attack, examples include:
http-post-form,ssh, orftp, to name but a few - If it is a web-based attack like
http-post-formyou will need to designate either a successful login:S=302indicating a redirect which might be a good sign, or a:F=failedwhich would designate a failed login attempt (i.e. ignore and keep trying) - Also worth noting is I have had issues with needing to add “http://” in front of the IP address even when specifying it is a
http-post-form - Another part you will need for the web logins specifically is the actual request, which is obtained with burpsuite and I will get into that down below
- There are many more flags you can include, but these should be enough to get you started
Example: Using hydra against a web portal
This was a Mr. Robot themed CTF if I recall correctly, anyway hopefully seeing all this put together makes more sense:
After running gobuster to enumerate their web server I found their login portal at “/wp-login”. From there I used burpsuite to capture the request:
I replaced my test inputs of “testuser” and “testpw” with the appropriate ^USER^ and ^PASS^ notation, and at the end of that added that a success means a 302 redirect, since that means I am being logged in and forwarded elsewhere: :S=302.
Before I show the command I will also note that I knew the username was fsociety and had obtained a password list hidden on their site called fsociety.dic.
So - putting all this together and knowing the syntax from above we get the following (semi-coherent) command:
hydra -l fsociety -P /home/wesleyvm1/Downloads/fsociety.dic 10.10.188.175 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F10.10.188.175%2Fwp-admin%2F&testcookie=1:S=302"
It’s as simple as that. Even more simple is an ssh brute force, which I will cover below.
Quick note: To clarify the :F=failed scenario, basically if after attempting a login if that word (in this scenario “failed”) appears on the screen that indicates an F, or failure, so it will try again until it does not get the word “failed” on the page - i.e. a successful login.
Example: Using hydra against ssh
I forget the name of this CTF, but you’ll see how much more straightforward of an exploit this was.
What I knew going into this: the username was lin and I had obtained a possible password file named locks.txt anonymously from their ftp server.
The final command ended up being as simple as:
hydra -t 4 -l lin -P /home/wesleyvm1/Downloads/locks.txt 10.10.180.91 ssh -v
And to see what a successful login looks like, this is what I (eventually) got:
You can see for this instance I chose to incldue the -t 4 flag to lower the default number of tasks (parallel threads) and used the -v for verbose. Not inlcuding the limiting -t can result in failed attempts to login and it’s just the result of too many login attempts too quickly, I want to say the default number of threads is 16.
Hash-identifier, hashid, and John
Okay, let’s say you get your hands on the /etc/shadow file or some other form of a hashed password, how do you go about identifying the hash before you can try and break it?
For this, many distributions of linux should have a tool called “hash-identifier”. How it works is you simply type in hash-identifier in your terminal and that’ll start the program where you’ll be prompted to enter in the hash. Alternatively, you can use a tool called “hashid” which works very similar to the former, if you need help with this one just enter in man hashid or hashid --help for help figuring it out.
Now using John to crack the hash. The first step is which type of hash are you cracking, for instance John lists at least five different forms of MD5 hashes. So to identify which one is the one to use with John, type in something along the lines of john --list=formats | grep MD5. This will give the different MD5 hash forms you can try. Once the format is chosen, you will need a password list to use, the default should almost always be the rockyou.txt file, and if that doesn’t work you’ll likely have to branch out to other lists from SecLists or create your own customized one.
Now to setup an example brute force against a MD5 hash stored in the hash.txt file:
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
Note: If you have already cracked a specific hash and deleted it, John will say it is already cracked if you try it again and then annoyingly not show you what it is. That cracked hash can be found in the john.pot file on your system. Since I don’t know where you’ll install John, you can find it with the following command:
find / -type f -name john.pot 2>/dev/null
Another note: Sometimes before attempting to crack a file you will need to convert it to a format that John can use. These tools are named things like “ssh2john” or “zip2john” (reference here for a time when I had to use “gpg2john”), and since there are so many different kinds of formats out there, I’ll leave you to do your own research on each one specifically. Just know that before John can take a crack at certain file types there has to be some conversion made beforehand. There are a million forums online that will cover the how-to for ssh keys, zip password protected files, etc - what’s important is that you know these tools exist.
Lastly, if you ever have to convert a file that is encoded as base64 the command is as simple as:
cat filename.ext | base64 -d and you can of course output the result to a file by adding > output.txt
I’ve only ever had to use this once, but it’s useful to know I suppose.
One note on everyone’s favorite resource… online tools
To be fair, I do try and use John whenever possible to keep sharp on that skill, but I can be lazy and there are powerful online cracking tools out there. Sometimes it is tedious to go through the whole process of identifying the hash with a hash-identifer, it eventually tells you it is a raw MD5 hash, then you have to find the exact format for it in John with john --list=formats | grep MD5 - where you eventually see Raw-MD5 as an output, and then you finally run the command john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt. What I’m saying is that sometimes it can be a tedious process, and plenty of online resources can save you that time and energy. Sites like crackstation are one of many out there that can meet these needs, just make sure to stay proficient with John.