One of the biggest security holes in IT are passwords. So many times people chose the lazy option and pick poor passwords. In Linux based CTF (Capture the Flag) challenges there is regularly an element of “password hacking” Typically this comes in the form of trying to Brute force it with a tool like Hydra. Which is to try different passwords until you find the one you want.
After an initial enumeration with “nmap” a few services pop up. Enumerate some more, and you find a user name. Then its time to fire up those systems and get to unlocking that CTF with Hydra
Setup for CTF
As always, I use my custom build BlackArch install, but you can use any Linux flavour. If not using my BlackArch or Kali you likely won’t find hydra available in the repositories of the distribution you are using. So I strongly recommend you use one of them for an easier life. For the testing stage you will need “docker” and “burpsuite” installed.
Back in 2009, a company named RockYou was subject to a hack. This wouldn’t have been too much of a problem if they hadn’t stored all of their passwords un-encrypted, 32 million of them. Unfortunately this list was publicly available.
Since then, this list grows and grows and has become the ultimate password list. This list, it’s huge, so huge that it can take days or weeks to run the full list. So for the examples on this page I will not use it, but all budding CTF challengers and researchers should be aware of it.
There are many password lists on the internet and there are many people who reviewed and reduced them to more manageable ones. The rockyou file, although probably the most definitive password list, is too big for most cases when learning. My goto site for all passwords lists is the seclist in github. For this short learning session I will only focus on one list within the many lists on that page. The Update 10-million-password-list–top-100.txt will do just fine. For my testing I copied the top 100 list into /tmp/password
Hydra the Wizard in Action
There are a few options when running Hydra. Lets take a look at the easiest one, the wizard. This helps the user to build up the options required for putting the command together.
- You are then asked to select a service, ssh, ftp, etc.
- Enter a target
- Enter a username or a file of usernames
- Input a password or a file of passwords
- For this example, just hit enter for the rest but you can explore them in detail if you like.
This generates the hydra command and its list of options. You also get an option to run the command.
I have an alpine docker ssh server running on localhost on port 2222 for testing against.
hydra -l root -P /tmp/password -u 127.0.0.1 ssh -s 2222
I have run a docker ftp server on local host for testing.
hydra -l testuser -P /tmp/password -u 127.0.0.1 ftp
I am going to go a bit crazy here as its a bit more advanced than the previous one. I will show how to build a command for brute forcing a WordPress site. The user name we are going to brute force is “admin” and the password is unknown.
First you have to enable the proxy Interceptor in “burpsuite“, go to the word press page and put in the Username of “admin” and anything for the password.
At this stage we can use “burpsuite” to intercept the login and to capture the “http header” request.
“Burpsuite” is a fantastic tool that allows you capture and modify web content before its sent. In the case above it can be seen that when the “Log in” button is clicked, a Post request is sent with a bunch of headers and some Data at the end. It’s this “data” that we need as this is what the WordPress form is sending for authentication. so we can capture this part and add it to Hydra for access.
hydra -l admin -P /tmp/password 192.168.1.163\ -s 8084 -V http-form-post '/wp-login.php:\ log=^USER^&pass=^PASS^\ &wp-submit=Log+In&redirect_to=\ http%3A%2F%2F192.168.1.163%3A8084%2Fwp-admin%2F\ &testcookie=1:Invalid
Lets take a closer look at this command.
- -s 8084, Port has to be defined as WordPress is running in a docker container on port 8084.
- ^USER^/^PASS^, These are the parts we can bruteforce and are replaced with the options provided with “-l” and “-P”.
- -V http-form-post, Tells Hydra that this is a webform.
- /wp-login.php:.., tell hydra the end point of the form and how the username and password should be submitted. Options here are separated by “:”
- /wp-login.php, login page
- log=^USER^&pass=^PASS^&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.163%3A8084%2Fwp-admin%2F&testcookie=1, These are options used by WordPress to submit the login. We got this from burpsuite.
- Invalid, This is what hydra looks for in a failed login, kind of like grep. If it finds it, hydra marks the login attempt as failed.
Tips & Tricks
You can create a customer username and password file in the below format and call it with the -C option.
jaime11:JKiufg6 jaime11:JKiufg6 jaime11:JKiufg6 smileys:98GHbjh jaime11:JKiufg6 jaime11:JKiufg6 jaime11:JKiufg6
hydra -C pass 192.168.186.22 ssh
Hydra is a great tool for researchers, ethical hackers and security consultants to show how easy it can be to gain access to a system remotely. Using Hydra in a CTF environment is also a great way to learn how the tool works. Also its great to show how insecure passwords can be.
Hydra is my main password fuzzing tools on BlackArch and there is nothing quite so satisfying than when it finds a password and you can move onto that next step in beating a CTF. Hydra also makes my list as one of my favourite goto research tools.