One of the most important skills used in hacking and penetration testing is the ability to crack user passwords and gain access to system and network resources. One of the most common techniques is known as brute force password cracking. Using tools such as Hydra, you can run large lists of possible passwords against various network security protocols until the correct password is discovered.
The length of time a brute force password attack takes depends on the processing speed of your computer, your Internet connection speed (and any proxy servers you are relying on for anonymity), and some of the security features that may or may not be installed on the target system. The Whitehat Hacking and Penetration Testing tutorial provides a solid overview of password cracking techniques.
Although there are quite a few password cracking utilities available, Hydra is renowned as one of the best ones and is relied on by hackers and security experts alike as a way to test the strength of user passwords and overall network integrity.
What Protocols Does Hydra Work With?
Hydra is a very versatile penetration testing tool that has been successfully used with most modern network security protocols. Some examples include:
- Cisco
- Cisco-enable
- HTTPS-form-get
- MySQL
- SSH2
- SIP
- FTP
- Oracle-listener
- MSSQL
- IMAP
This is a condensed list of some common protocols that Hydra has been successfully used against in penetration testing and malicious hacking exploits but there are many others as well.
How Does Hydra Work?
In order to understand how Hydra works, you first must understand how brute force hacking works. As previously mentioned, Hydra takes a large list of possible passwords (usually in the millions) and systematically attempts to use these passwords to gain entry. Many of the common passwords that are included with Hydra are passwords that are known to be used by non-IT savvy users such as password1, secretpassword, etc.
To maximize the effectiveness of a brute force password attack, a good hacker will also incorporate elements of social engineering into a custom password list that specifically targets users within an organization. Social media sites such as Facebook have made social engineering extremely easy as many people use loved ones, children’s names, street addresses, and favorite football teams as their passwords. By linking employees to a specific organization and then looking for social media clues, a hacker can usually build a sturdy password list with a much higher success ratio. You can learn more about social engineering techniques inHacking School.
Hydra was actually developed for penetration testing, although it has become very popular in the hacking underworld. Regardless of which way you plan to use Hydra, it’s worth noting the recommendations set forth by the Hydra developers.
- Make your network as secure as possible.
- Set up a test network.
- Set up a test server.
- Configure services.
- Configure the ACL.
- Choose good passwords.
- Use SSL.
- Use cryptography.
- Use an IDS.
- Throw Hydra against these security measures and try to crack the login commands.
These recommendations are designed to help penetration testers set up a secure environment that it is unlikely to be breached by a Hydra attack. The reality is that many networks are set up by amateurs and there is little to no security.
In most professionally configured networks, there are a few security components that render Hydra practically useless and you will probably fail at your attempts to crack passwords and could possibly be charged with a crime for your actions.
Some of these security measures include:
Disabling or blocking access to accounts after a predetermined number of failed authentication attempts has been reached. If this has been configured on a network, chances are it will only allow 3 – 5 attempts before locking down the account. The likelihood that Hydra will guess the correct password in this many attempts is slim to none. In fact, you’d be more likely to win the Powerball.
Many companies have also gone to a multifactor or double opt-in authentication method for users. This means that in addition to a password, a security question has to be answered correctly for access. At this time, Hydra is not set up to crack multifactor authentication.
Installing Hydra
Hydra is a Linux-based tool that can be downloaded freely from the proper repository. Open a Linux terminal and enter the following instructions to download and install the latest version of Hydra:
- cd /data/src/
- wget http://freeworld.thc.org/releases/hydra-5.9-src.tar.gz
- tar xzvf hydra-5.9-src.tar.gz
- cd hydra-5.9-src/
- ./configure
- Make
- sudo make install
Now that Hydra is properly installed on your machine, you’re ready to launch attacks on unsuspecting systems. Although in theory this password cracking utility can work on any network that is not properly secured, some of your best targets are going to be routers that support SSH and Web servers using FTP. Advanced Penetration Testing breaks down likely targets and specific attacks that are effective for each.
If you can gain access to a router via SSH, you can change administrative settings at the root level and then log into the network wirelessly for complete access to network resources. Cracking the FTP password on Web server provides similar results and can dig up some interesting information or be used to deface websites hosted on the Web server by modifying existing HTML and image files contained within the website hierarchy. Introduction to Ethical Hacking and Web Application Security details common security practices and ways to bypass them using Hydra and other tools.
Using Hydra as a password cracker is not an invincible solution. Rather, you should think of Hydra has just another tool in your hacker’s toolbox that can be used when appropriate to gain access to improperly secured network resources.
As a final note, it is illegal to access a network that does not belong to you without permission from the network administrators. If you are using Hydra as a professional penetration tester, you have nothing to worry about. If you are trying to gain unauthorized access to networks in your spare time, you could very well have the police knocking at your door in no time.
Remember – with great power comes great responsibility.