Skip to content

Releases: byt3n33dl3/thc-Hydra

9.6.1 <THC>

20 Nov 04:21
b164307
Compare
Choose a tag to compare


H Y D R A

(c) 2001-2024 by van Hauser / THC [email protected]
continued by [email protected]
many modules were written by [email protected]
BFG code by Jan Dlabal [email protected] and
Sulaiman Aziz [email protected]

Licensed under AGPLv3 and BSD II : see LICENSE file

Please do not use in military or secret service organizations,
or for illegal purposes.
(This is the wish of the author and non-binding. Many people working
in these organizations do not care for laws and ethics anyways.
You are not one of the "good" ones if you ignore this.)

NOTE: no this is not meant to be a markdown doc! old school!

thc-Hydra in the most current github state can be directly downloaded via docker:

docker pull byt3n33dl3/thc-Hydra

INTRODUCTION

Number one of the biggest security holes are passwords, as every password
security study shows.
This tool is a proof of concept code, to give researchers and security
consultants the possibility to show how easy it would be to gain unauthorized
access from remote to a system.

THIS TOOL IS FOR LEGAL PURPOSES ONLY!

There are already several login hacker tools available, however, none does
either support more than one protocol to attack or support parallelized
connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris,
FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS.

Currently this tool supports the following protocols:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY,
HTTPs-FORM-GET, HTTPs-FORM-POST, HTTPs-GET, HTTPs-HEAD, HTTPs-POST,
HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener,
Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin,
Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5,
SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth,
VNC and XMPP.

However the module engine for new services is very easy so it won't take a
long time until even more services are supported.
Your help in writing, enhancing or fixing modules is highly appreciated!! :-)

WHERE TO GET

You can always find the newest release/production version of thc-Hydra at its
project page at release
If you are interested in the current development state, the public development
repository is at Github:
svn co repo
or
git clone repo
Use the development version at your own risk. It contains new features and
new bugs. Things might not work!

Alternatively (and easier) to can pull it as a docker container:

docker pull byt3n33dl3/thc-Hydra

HOW TO COMPILE

To configure, compile and install thc-Hydra, just type:

./configure
make
make install

If you want the ssh module, you have to setup libssh (not libssh2!) on your
system, get it from libssh, for ssh v1 support you also need
to add "-DWITH_SSH1=On" option in the cmake command line.
IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew!

If you use Ubuntu/Debian, this will install supplementary libraries needed
for a few optional modules (note that some might not be available on your distribution):

apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
firebird-dev libmemcached-dev libgpg-error-dev \
libgcrypt11-dev libgcrypt20-dev

This enables all optional modules and features with the exception of Oracle,
SAP R/3, NCP and the apple filing protocol - which you will need to download and
install from the vendor's web sites.

For all other Linux derivates and BSD based systems, use the system
software installer and look for similarly named libraries like in the
command above. In all other cases, you have to download all source libraries
and compile them manually.

SUPPORTED

  • All UNIX platforms (Linux, BSD, Solaris, etc.)
  • MacOS (basically a BSD clone)
  • Windows with Cygwin (both IPv4 and IPv6)
  • Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)
  _    ___     _______  _____            
 | |  | \ \   / /  __ \|  __ \     /\    
 | |__| |\ \_/ /| |  | | |__) |   /  \   
 |  __  | \   / | |  | |  _  /   / /\ \  
 | |  | |  | |  | |__| | | \ \  / ____ \ 
 |_|  |_|  |_|  |_____/|_|  \_\/_/    \_\
 
        L O G O N F O R C E R

HOW TO USE

If you just enter Hydra, you will see a short summary of the important
options available.
Type ./Hydra -h to see all available command line options.

Note that NO login/password file is included. Generate them yourself.
A default password list is however present, use "dpl4Hydra.sh" to generate
a list.

For Linux users, a GTK GUI is available, try ./xHydra

For the command line usage, the syntax is as follows:
For attacking one target or a network, you can use the new "://" style:
Hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS
The old mode can be used for these too, and additionally if you want to
specify your targets from a text file, you must use this one:

Hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]

Via the command line options you specify which logins to try, which passwords,
if SSL should be used, how many parallel tasks to use for attacking, etc.

PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp,
http-get or many others are available
TARGET is the target you want to attack
MODULE-OPTIONS are optional values which are special per PROTOCOL module

FIRST - select your target
you have three options on how to specify the target you want to attack:

  1. a single target on the command line: just put the IP or DNS address in
  2. a network range on the command line: CIDR specification like "192.168.0.0/24"
  3. a list of hosts in a text file: one line per entry (see below)

SECOND - select your protocol
Try to avoid telnet, as it is unreliable to detect a correct or false login attempt.
Use a port scanner to see which protocols are enabled on the target.

THIRD - check if the module has optional parameters
thc-Hydra -U PROTOCOL
e.g. thc-Hydra -U smtp

FOURTH - the destination port
this is optional, if no port is supplied the default common port for the
PROTOCOL is used.
If you specify SSL to use ("-S" option), the SSL common port is used by default.

If you use "://" notation, you must use "[" "]" brackets if you want to supply
IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack:
thc-Hydra [some command line options] ftp://[192.168.0.0/24]
thc-Hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM

Note that everything thc-Hydra does is IPv4 only!
If you want to attack IPv6 addresses, you must add the "-6" command line option.
All attacks are then IPv6 only!

If you want to supply your targets via a text file, you can not use the ://
notation but use the old style and just supply the protocol (and module options):
thc-Hydra [some command line options] -M targets.txt ftp
You can also supply the port for each target entry by adding ":" after a
target entry in the file, e.g.:

foo.bar.com
target.com:21
unusual.port.com:2121
default.used.here.com
127.0.0.1
127.0.0.1:2121

Note that if you want to attach IPv6 targets, you must supply the -6 option
and must put IPv6 addresses in brackets in the file(!) like this:

foo.bar.com
target.com:21
[fe80::1%eth0]
[2001::1]
[2002::2]:8080
[2a01:24a:133:0:00:123:ff:1a]

LOGINS AND PASSWORDS

You have many options on how to attack with logins and passwords
With -l for login and -p for password you tell thc-Hydra that this is the only
login and/or password to try.
With -L for logins and -P for passwords you supply text files with entries.
e.g.:

Hydra -l admin -p password ftp://localhost/
Hydra -L default_logins.txt -p test ftp://localhost/
Hydra -l admin -P common_passwords.txt ftp://localhost/
Hydra -L logins.txt -P passwords.txt ftp://localhost/

Additionally, you can try passwords based on the login via the "-e" option.
The "-e" option has three parameters:

s - try the login as password
n - try an empty password
r - reverse the login and try it as password

If you want to, e.g. try "try login as password and "empty password", you
specify "-e sn" on the command line.

But there are two more modes for trying passwords than -p/-P:
You can use text file which where a login and password pair is separated by a colon,
e.g.:

admin:password
test:test
foo:bar

This is a common default account style listing, that is also generated by the
dpl4Hydra.sh default account file generator supplied with thc-Hydra.
You use such a text file with the -C option - note that in this mode you
can not use -l/-L/-p/-P options (-e nsr however you can).
Example:

Hydra -C default_accounts.txt ftp://localhost

And finally, there is a bruteforce mode with the -x option (which you can not
use with -p/-P/-C):

-x minimum_length:maximum_length:charset

the charset definition is a for lowercase letters, A for uppercase letters,
1 for numbers and for anything else you supply it is their real representation.
Examples:

-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters
-x 2:5:/ generat...
Read more

9.6.0

16 Nov 05:31
Compare
Choose a tag to compare


H Y D R A

(c) 2001-2024 by van Hauser / THC [email protected]
continued by [email protected]
many modules were written by David (dot) Maciejak @ gmail (dot) com
BFG code by Jan Dlabal [email protected]
Sulaiman Aziz [email protected]

Licensed under AGPLv3 and BSD II : see LICENSE file

Please do not use in military or secret service organizations,
or for illegal purposes.
(This is the wish of the author and non-binding. Many people working
in these organizations do not care for laws and ethics anyways.
You are not one of the "good" ones if you ignore this.)

NOTE: no this is not meant to be a markdown doc! old school!

thc-Hydra in the most current github state can be directly downloaded via docker:

docker pull byt3n33dl3/thc-Hydra

INTRODUCTION

Number one of the biggest security holes are passwords, as every password
security study shows.
This tool is a proof of concept code, to give researchers and security
consultants the possibility to show how easy it would be to gain unauthorized
access from remote to a system.

THIS TOOL IS FOR LEGAL PURPOSES ONLY!

There are already several login hacker tools available, however, none does
either support more than one protocol to attack or support parallelized
connects.

It was tested to compile cleanly on Linux, Windows/Cygwin, Solaris,
FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS.

Currently this tool supports the following protocols:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY,
HTTPs-FORM-GET, HTTPs-FORM-POST, HTTPs-GET, HTTPs-HEAD, HTTPs-POST,
HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener,
Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin,
Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5,
SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth,
VNC and XMPP.

However the module engine for new services is very easy so it won't take a
long time until even more services are supported.
Your help in writing, enhancing or fixing modules is highly appreciated!! :-)

WHERE TO GET

You can always find the newest release/production version of thc-Hydra at its
project page at Release
If you are interested in the current development state, the public development
repository is at Github:
svn co Repo
or
git clone Repo
Use the development version at your own risk. It contains new features and
new bugs. Things might not work!

Alternatively (and easier) to can pull it as a docker container:

docker pull byt3n33dl3/thc-Hydra

HOW TO COMPILE

To configure, compile and install thc-Hydra, just type:

./configure
make
make install

If you want the ssh module, you have to setup libssh (not libssh2!) on your
system, get it from libssh, for ssh v1 support you also need
to add "-DWITH_SSH1=On" option in the cmake command line.
IMPORTANT: If you compile on MacOS then you must do this - do not install libssh via brew!

If you use Ubuntu/Debian, this will install supplementary libraries needed
for a few optional modules (note that some might not be available on your distribution):

apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \
libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \
firebird-dev libmemcached-dev libgpg-error-dev \
libgcrypt11-dev libgcrypt20-dev

This enables all optional modules and features with the exception of Oracle,
SAP R/3, NCP and the apple filing protocol - which you will need to download and
install from the vendor's web sites.

For all other Linux derivates and BSD based systems, use the system
software installer and look for similarly named libraries like in the
command above. In all other cases, you have to download all source libraries
and compile them manually.

SUPPORTED

  • All UNIX platforms (Linux, *BSD, Solaris, etc.)
  • MacOS (basically a BSD clone)
  • Windows with Cygwin (both IPv4 and IPv6)
  • Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)
  _    ___     _______  _____            
 | |  | \ \   / /  __ \|  __ \     /\    
 | |__| |\ \_/ /| |  | | |__) |   /  \   
 |  __  | \   / | |  | |  _  /   / /\ \  
 | |  | |  | |  | |__| | | \ \  / ____ \ 
 |_|  |_|  |_|  |_____/|_|  \_\/_/    \_\
 
     L O G O N B R U T E F O R C E R

HOW TO USE

If you just enter thc-Hydra, you will see a short summary of the important
options available.
Type ./thc-Hydra -h to see all available command line options.

Note that NO login/password file is included. Generate them yourself.
A default password list is however present, use "dpl4thc-Hydra.sh" to generate
a list.

For Linux users, a GTK GUI is available, try ./xthc-Hydra

For the command line usage, the syntax is as follows:
For attacking one target or a network, you can use the new "://" style:
thc-Hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS
The old mode can be used for these too, and additionally if you want to
specify your targets from a text file, you must use this one:

thc-Hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS]

Via the command line options you specify which logins to try, which passwords,
if SSL should be used, how many parallel tasks to use for attacking, etc.

PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp,
http-get or many others are available
TARGET is the target you want to attack
MODULE-OPTIONS are optional values which are special per PROTOCOL module

FIRST - select your target
you have three options on how to specify the target you want to attack:

  1. a single target on the command line: just put the IP or DNS address in
  2. a network range on the command line: CIDR specification like "192.168.0.0/24"
  3. a list of hosts in a text file: one line per entry (see below)

SECOND - select your protocol
Try to avoid telnet, as it is unreliable to detect a correct or false login attempt.
Use a port scanner to see which protocols are enabled on the target.

THIRD - check if the module has optional parameters
thc-Hydra -U PROTOCOL
e.g. thc-Hydra -U smtp

FOURTH - the destination port
this is optional, if no port is supplied the default common port for the
PROTOCOL is used.
If you specify SSL to use ("-S" option), the SSL common port is used by default.

If you use "://" notation, you must use "[" "]" brackets if you want to supply
IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack:
thc-Hydra [some command line options] ftp://[192.168.0.0/24]
thc-Hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM

Note that everything thc-Hydra does is IPv4 only!
If you want to attack IPv6 addresses, you must add the "-6" command line option.
All attacks are then IPv6 only!

If you want to supply your targets via a text file, you can not use the ://
notation but use the old style and just supply the protocol (and module options):
thc-Hydra [some command line options] -M targets.txt ftp
You can also supply the port for each target entry by adding ":" after a
target entry in the file, e.g.:

foo.bar.com
target.com:21
unusual.port.com:2121
default.used.here.com
127.0.0.1
127.0.0.1:2121

Note that if you want to attach IPv6 targets, you must supply the -6 option
and must put IPv6 addresses in brackets in the file(!) like this:

foo.bar.com
target.com:21
[fe80::1%eth0]
[2001::1]
[2002::2]:8080
[2a01:24a:133:0:00:123:ff:1a]

LOGINS AND PASSWORDS

You have many options on how to attack with logins and passwords
With -l for login and -p for password you tell thc-Hydra that this is the only
login and/or password to try.
With -L for logins and -P for passwords you supply text files with entries.
e.g.:

thc-Hydra -l admin -p password ftp://localhost/
thc-Hydra -L default_logins.txt -p test ftp://localhost/
thc-Hydra -l admin -P common_passwords.txt ftp://localhost/
thc-Hydra -L logins.txt -P passwords.txt ftp://localhost/

Additionally, you can try passwords based on the login via the "-e" option.
The "-e" option has three parameters:

s - try the login as password
n - try an empty password
r - reverse the login and try it as password

If you want to, e.g. try "try login as password and "empty password", you
specify "-e sn" on the command line.

But there are two more modes for trying passwords than -p/-P:
You can use text file which where a login and password pair is separated by a colon,
e.g.:

admin:password
test:test
foo:bar

This is a common default account style listing, that is also generated by the
dpl4thc-Hydra.sh default account file generator supplied with thc-Hydra.
You use such a text file with the -C option - note that in this mode you
can not use -l/-L/-p/-P options (-e nsr however you can).
Example:

thc-Hydra -C default_accounts.txt ftp://localhost/

And finally, there is a bruteforce mode with the -x option (which you can not
use with -p/-P/-C):

-x minimum_length:maximum_length:charset

the charset definition is a for lowercase letters, A for uppercase letters,
1 for numbers and for anything else you supply it is their real representation.
Examples:

-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters
-x 2:5:/ generate passwords from length 2 to 5 ...
Read more