THC Hydra Article

Document Sample
THC Hydra Article Powered By Docstoc
authentication cracking!                                                                                            by David Maciejak, 2011

This article will show how to use Hydra to check for weak 
passwords. Hydra tries all possible password 
combination against a server on the Internet until one 
valid one is found to log in to the server. It is a powerful 
tool for hackers and network administrators alike.

      eah,   again   an   article   on                     •   Set up a test server                           other big players: Most of those 
      how   to   choose   secure                           •   Configuring services                           biggies support one of those 
      passwords   Unbreakable,                             •   Configure ACL                                  protocols beside the web based 
long and complicated so they are                           •   Choosing good passwords                        login known to most of you.
impossible to remember...                                  •   Use SSL                                        Your password is at risk even if 
                                                           •   Use cryptography                               you never ever used SMTP, 
Not really! This article is different!
                                                           •   Use an IDS.                                    POP3 or IMAP.
In this article I will talk from the                                                                          Use the ­h option in Hydra to get 
attacker   point   of   view.   Why   it   is          …then let Hydra try to break into                      a full list of supported protocols.
not   trivial   to   brute   force   a                 your own server!
                                                                                                              A common mistake of many new 
password.   I   will   explain   how                                                                          server   installations   is   that   they 
Hydra   can   help   to  test   for   weak 
passwords.   Hydra   is   available 
                                                       Setting up networks                                    come   with   services   like   POP3, 
                                                                                                              IMAP or SSH enabled by default. 
from­                  The Internet is standardized. It                       Access   control   and   firewall   are 
hydra/. It  is supposedly the best                     will either be IPv4 or IPv6. Hydra                     disabled   by  default.   New   default 
network   login   cracking   tool                      can attack IPv4 and IPv6                               servers   are   an   easy   target   for 
available today.                                       networks alike. Use the ­6 option                      Hydra.
                                                       to switch to IPv6.
This   article   will   only   give   you   a 
broad overview of the potential of 
Hydra. You will figure out the rest                    Configuring services 
by yourself.
First   make   your   network   as 
                                                       and access controls
secure   as   you   can.   Make   no 
mistakes:   One   small   mistake   by                 Common protocols for mail are 
you,   one   giant   leap   for   the                  SMTP, POP3 and IMAP4. They 
attacker.                                              are used by small and large 
                                                       businesses alike, heck they are 
                                                       even used by gmail, hotmail and 
    • Set up a test network

 1 / 3                                                                                                                                     
                                                                                                              Research   has   shown   that   users 
  Shell 1. Choosing IP version from command line
                                                                                                              using   SSL   chose   weaker 
  #./hydra ­l john ­p doe imap://                                                             password for the SSL connection 
  #./hydra ­l john ­p doe imap://[::FFFF:]:143 ­6                                                 than   for   connections   not   using 
                                                                                                              SSL.   It   appears   there   is   some 
                                                                                                              false   sense   of   security   lingering 
                                                                                                              among all the good, bad and ugly 
 Shell 2. Bruteforce password generator option
                                                                                                              things with SSL.
 #./hydra ­l john ­x 5:8:A1 imap://
                                                                                                              This is where Hydra attacks.

                                                                                                              In   cryptography   if   you   do   not 
 Shell 3. Set SASL method on command line                                                                     understand it do not use it!

 #./hydra ­l john ­p doe imap://­MD5                                                         Beside   SSL   does   Hydra   also 
                                                                                                              support   SASL   (CRAM­MD5, 
                                                                                                              DIGEST­MD5   and   SCRAM­
                                                       Hydra   can   work   through   list   of               SHA1).
Choosing good                                          common   passwords   or   can 
                                                       mutate the passwords randomly.                         The   “Simple   Authentication   and 
passwords                                                                                                     Security   Layer”   (SASL)   is   a 
                                                       Use the ­x option for mutating the                     framework for authentication and 
                                                       password.                                              data security in Internet protocols. 
                                                                                                              It   decouples   authentication 
                                                       For   example   use   “­x  5:8:A1   “   to             mechanisms   from   application 
                                                       try all password of length 5 to 8                      protocols.
                                                       by   using   all   possible 
                                                       combinations   of   all   upper   case                 GNU   project   has   implemented   it 
                                                       characters and all numbers.                            through   the   GNU   SASL   Library 
                                                                                                              called          GSASL           (see 
                                                       Using SSL and                                
Passwords   are   often   chosen                       cryptographic 
carelessly. 90% of all users pick                      methods                                                When   the   server   is   negotiating 
one   of   the   10   most   common                                                                           secure   channel,   secure   method, 
passwords   at   some   point   on                                                                            Hydra just respond “ok let’s do it”, 
some system.                                           Using   encryption   like   SSL   does                 and   generates   valid   credential 
                                                       not help. SSL is primarily used to                     based on the challenge sent.
123456,   password,   secret,   …                      encrypted   the   sessions   between 
look familiar?                                         attacker   and   server.   This   is   an              The   SASL   method   can   be   used 
                                                       advantage for the attacker as the                      as   shown   above.   Use   the   ­U 
Might as well not use a password                       attack   is   not   picked   up   by   a               option   to   get   a   full   list   of 
at all then!                                           network   Intrusion   Detection                        supported SASL options.
                                                       System (IDS).
Hydra   also   has   a   special 
command line option: Use “­e ns”                       SSL   is   almost   never   used   to 
to   check   for   empty   passwords                   authenticate   a   client.   Client   side 
and   where   the   password   is   the                authentication   is   done   by 
username!                                              traditional                   password 
                                                       authentication   in   almost   all 

 2 / 3                                                                                                                                     
Monitoring   access                                    Sometimes the SIEM or the IAM                          the   attack   is   conducted.   The   ­t 
                                                       (Identity   and                Access                  option   can   be   used   to   set   the 
and resources                                          Management)   can   become   the                       number   of   concurrent   tasks 
                                                       way   of   entry   as   well!   These                  (default is 16). Setting it to 1 and 
                                                       services   are   using   LDAP.   And                   you   will   stay   under   the   radar   of 
More   and   more   companies   are 
                                                       guess what, Hydra also supports                        any IDS.
buying   SIEM   (Security 
Information   and   Event 
Management)   to   centralized   the                                                                          Conclusion
                                                       IPS   (Intrusion   Prevention 
event access logs. This could be 
                                                       System)   is   a   must   have   in   a 
useful   to   track   abnormal   events 
                                                       corporate   network,   nowadays                        Chose your password wisely. Do 
on the network, like for example 
                                                       such kind of device always come                        not   let   IDS,   IPS,   SIEM,   IAM   or 
many authentication failures on a 
                                                       with   predefined   signatures   to                    SSL lure you into a false sense of 
given service. This kind of tool, is 
                                                       detect password cracking attacks.                      security.
used   to  save   your   time,   it   could 
                                                       However, they have a weak point, 
also   automatically   alerts   you   by 
                                                       they are based on a defined rate.                      Try   Hydra.   Make   sure   you   are 
using   some   correlated   rules   to 
                                                       For   example   if   there   are   10                  safe and secure.
detect malicious events.
                                                       authentication failed in 5 seconds 
                                                       from   the   same   source   IP   just                 The   best   tool   against   hacker 
No   SIEM   prevents   the   attack. 
                                                       block   or   quarantine   the   attacker               attacks   is   a   smart   network 
They merely inform you after the 
                                                       for x seconds.                                         administrator.
event.   After   Hydra   got   in.   After 
your data got stolen.
                                                       For   this   purpose   Hydra   comes 
                                                       with   some   features   to   plan   how 

Figure 1. Module usage, example using IMAP

Hydra Home Project:­hydra
Wikipedia Page: http://en. 
                                             Hydra          )

Special thanks goes to THC crew.

 3 / 3                                                                                                                                     

Shared By:
Tags: hydra