Cracking Network
Telnet & FTP Password Cracking with THC Hydra
A password is the only thing that protects secure information on a network system. If we want to access secure information, we must be an authorize members of the system or network. According numerous security studies, passwords are the biggest security hole in any network. If any unauthorized individual manages to get the right password, he will be able to access secure data on the system.
Although many systems try to improve security using various methods there are some tools which are far more effective at hacking into a network system than others. THC Hydra is one of the primary tools that can show how easy it is to gain unauthorized access to a network system from remote location.
THC Hydra is not the only tool that can crack FTP or Telnet passwords from a remote computer. Indeed, there are various tools available that can both do the job and also support various protocols while using a parallel connection to crack a network. But THC Hydra is considered the best weapon for hacking a network, as it is known for its speed and efficiency.
The THC Hydra performs a brute-force attack based on a password dictionary.
Brute-force Attack: Brute-force attack is the most widely used attack for password cracking. This attack uses all possible permutations of a password until the correct password is found.
For example: If the password is 3 characters long and consists of both letters and numbers. Then a brute-force attack will use 2,38,328 different password as your password.
For First character: total lower case letters (26) + total upper case letters (26) + total numbers (10) = 62
For Second character: same = 62
For Third character: same = 62
Total permutations = 62*62*62 = 2,38,328
About THC Hydra: Before learning about password cracking with this tool, you must know few things about the method itself.
THC Hydra is the fast network logon cracker. It connects with multiple parallel connections from the remote system and then starts its attack. It is able to crack passwords used by all kinds of services.
Compared with other available logon password crackers, this tool supports more services and protocols and is faster than others.
List of Protocols THC Hydra supports: These are the protocols that this tool supports, and we can crack the password of all these services using this logon method:
AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
Supported Platforms: This network logon cracker is available for most of the available platforms including those listed below:
- All UNIX platforms (Linux, Solaris, etc.)
- Mac OS/X
- Windows with Cygwin (both ipv4 and ipv6)
- Mobile systems based on Linux or Mac OS/X (e.g. Android, iPhone, Zaurus, iPaq)
Hydra Explained and its Usage:
For command line usage, we will use following command:
$ hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]
Here a different argument has a different meaning. Read the meaning of these commands in the line arguments below:
-R
It is used to restore a previous aborted/crashed session
-S
Connects via SSL to the target system
-s <PORT>
If the service is on a different default port, define it here. Write –s before the port.
-l <LOGIN> or -L <FILE>
Login with LOGIN name, or load several logins from FILE. Be sure to be aware of the case of l in both arguments. Use small caps for username add capital letters for the username list file.
-p <PASS> or -P <FILE>
Try the password PASS, or load several passwords from FILE. The same case for p will be applied here. If you want to try a single password, use a small p but use a capital P for the password list.
-e <ns>
Provides additional checks: “n” for null password, “s” to try to login as pass
-C <FILE>
Colon separates “login:pass” format instead of -L/-P options. This file will have a colon-separated login and password, which is also easier to use overall.
-M <FILE>
A server list for parallel attacks, one entry per line
-o <FILE>
It will write found login/password pairs to FILE instead of stdout.
-f
This argument will exit after the first found login/password pair (per host if -M). It will not check for any other combinations that may be matched if we were using a username list and password list together.
-t <TASKS>
Runs TASKS and keeps track of the number of connections in parallel (default: 16)
-w <TIME>
Defines the maximum wait time in seconds for responses (default: 30)
-v / -V
Indicates verbose mode/shows login+pass combination for each attempt
server
The target server (use either this OR the -M option)
service
The service to crack. Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp
How to crack Telnet password with THC Hydra:
First of all, download Hydra from the official website. If you are using the Windows version, you will have to work on a console as there are no GUI for Windows users. I am demonstrating this tool on a Windows system below. Download the zip file and extract it on the system.
Now follow these steps:
Click on Start, type CMD in the search bar (in Windows 7), and open command prompt.
Now change the command prompt location to the hydra folder by using CD command.
Now we will execute the Hydra by typing hydra.exe in the command prompt
Now we need to select the target computer. At this moment we can use Nmap for scanning IP and open ports. So download the Nmap in your system. Windows users should download the Windows version. After downloading Nmap, scan for IPs in range. Also check for open ports in these IP addresses.
How to Use Nmap?
The use of Nmap is really simple. If you do not know, I will be posting a more detailed article shortly, which will help you.
Suppose I am in a network which has IP series of 192.168.0.x and I want to break into the Telnet of a system in this network. I will use Nmap to find my target system.
First of all, we will scan to check which systems are alive on the network. Use Nmap to perform a simple ping and get the list of all systems alive on the network. Use this command:
nmap -sP 192.168.0.1-10
Now see the results of this ping scan. You will get the list of all IP addresses in the system which are alive. I will pick one from the list to target.
I have chosen the system with IP address 192.168.0.7
Now we will check whether the Telnet port is open in the target computer or not. So use this command for simple port scan:
nmap -sS -sV -P 0 -T5 -O 192.168.0.7
This command will show you all the services currently running on the target computer. If the Telnet service is running on the target system, we are ready for the attack. If not, we will have to select another computer for the attack.
After locating a suitable target, we will begin the attack using Hyrdra.
There are two pieces of data we need to have on hand before we can begin the attack: the username list and a password list. The username list is being used in case we do not know the username. The password list will contain the list of passwords that will be used by Hydra for brute-forcing.
Case 1: Suppose we know the username. Let us assume that the username for the target Telnet is admin.
Now we will use the command to run the attack:
hydra -l admin -P passlist.txt 192.168.0.7 telnet
Here in passlist.txt is the list of possible passwords. Hydra will use each password for the selected username and will try to login. If a password from the list is matched, it will stop the scanning and show the username and password combination for the target Telnet.
If no password from the passlist.txt matches with the username, it will simply stop the scan.
If you want to save the scan results into a file, you will have to change the command and add the name of the output file into command line argument.
hydra -l admin -P passlist.txt -o test.txt 192.168.0.7 telnet
This command will save the result to the output file test.txt.
Case 2: In case you do not know the username, you can use the guess list of usernames along with the password list. Now we will use the command to run the attack:
hydra -L username.txt -P passlist.txt 192.168.0.7 telnet
In username.txt the system stores the guess list for possible usernames for the target admin. In addition, passlist.txt is the guess list for possible passwords.
To save the result in an output file, we will use a similar command to the one I have already written. The only difference is that we will utilize the username list here:
hydra -L username.txt -P passlist.txt -o test.txt 192.168.0.7 telnet
One thing to note is that using a username and password list changes one thing in the command that is not noticeable for all users. When I have executed the command for a single username, I used –l admin, but I use-L username.txt when I used a list. Here we can see the difference between –L and-l: When I use a single username, I use small caps for l, but when using the username list, I use a capital L.
If you are on Ubuntu or any other Linux-based operating system, this tool will be easier to use. This tool comes with a nice GUI for Linux-based operating systems, so you will not need to learn Hydra commands. Working with this system requires using similar tools and commands are executed in the background of GUI.
This was a short demonstration of cracking Telnet passwords using a Hydra network logon cracker.
How to Crack FTP Password with THC Hydra:
In the previous section I wrote about cracking Telnet passwords with Hydra. As I already mentioned, this method is a network logon cracker and it supports many network protocols. As a result, Hydra is used to crack most of network logins. Cracking FTP passwords essentially involves the same process as cracking Telnet passwords.
You just need to find the target system with an open FTP port, and then use Hydra to crack the passwords with a password dictionary. If you are not sure about the username, you can use username dictionary along with the password dictionary.
Now we will use the command to run the attack:
hydra -l admin -P passlist.txt 192.168.0.7 ftp
You can see that the command is similar to the command used with Telnet cracking. Only here I have replaced the Telnet with “ftp” to tell Hydra that it has to attack the FTP port this time. You can change the target system’s IP accordingly. You can also use admin list as given below:
hydra –L username.txt -P passlist.txt 192.168.0.7 ftp
All other things are almost exactly the same: You can use “ftp” to replace any other supported protocols.
How to Protect Against a Hydra Attack: Protection against this kind of brute-force attack is divided into three parts:
- Always check your logs against suspicious activity. Log files will help you learn more about the attacker.
- Always use strong password that are adequate in length. Use both upper and lower cases, numbers, and special characters.
- Always restrict the number of invalid logins that can be attempted, and then block the login from that IP.
Tip: THC Hydra is really a nice and effective network logon cracker. Of all the available network login cracking tools, it is the most effective. It also uses dictionary-based attacks with multiple connections, which makes it faster than other tools. So always use the strongest passwords possible. If you use a strong password, which incorporates the use of capital and small letters, numbers, and special characters, then you increase security by increasing the number of permutations Hydra must extrapolate. You can also setup server restrictions in which you can disallow login after 3 invalid login attempts. This will block a brute-force attack.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home