H Y D R A
(c) 2001-2004 by van Hauser / THC
<vh@thc.org> http://www.thc.org
VER 4.5
HYDRA 4.5 中文使用说明(我特别补充了几个使用例子,本说明是意译)
Term : FreeXploiT
Author : ALLyeSNO
Date : 2005-1-22
1.前言
------------
根据密码安全研究的显示表明,许多安全漏洞的突破口都是基于密码.这个工具(HYDRA)用来向安全
研究人员以及安全顾问证明一个事实,那就是非法获取一个的远程系统的访问权限是一件多么轻而易
举的事情.
在此再次向诸位安全爱好者声明(译者:包括黑客,白客,红客,绿客)请将该工具合法地使用!!!
如果您想把这个工具使用在商业用途上,那么请您参考许可证协议(译者:许可证在源代码的压缩
文件里面)
There are already several login hacker tools available, however none does
either support more than one protocol to attack or support parallized
connects.
网上已经出现不少的远程破解工具,不过没有一款是能够支持多种协议破解或者支持并行
协议破解的.(译者:parallized是个新出的名词吧 我译为并行)
目前该工具支持下列破解:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable,
SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA.
不管怎么说新服务的模块引擎编写非常容易,即使以后支持更多的服务也不会花费太多时间.
计划以后会支持: SSH v1, Oracle 乃至更多.
我们同样赞赏帮助编写这些模块的人们:)
2.如何编译(linux/unix)
------------
在命令行下输入 ./configure 然后输入 make 和 make install
如果你有cygwin,你也可以依照输入 ./configure 以后的运行提示去操作.
在掌上电脑上,输入 ./configure-palm
在ARM 处理器上输入 .configure-arm
3.该工具的支持平台
------------
所有的UNIX平台(linux, *bsd, solaris, etc.)
Mac OS/X操作系统
安装了cygwin的Windows操作系统(包括了ipv4和ipv6)
移动系统 ARM处理器和linux(例如 Zaurus, iPaq)
掌上电脑系统
4.如何使用
------------
在命令行下输入 ./configure 然后输入 make 以此来编译hydra
编译完成以后 输入 ./hydra -h 来查看命令行参数
你也可以输入 make install 把hydra编译安装在 /usr/local/bin 目录
注意:我们并没有提供字典文件,你可以自己创建一个弱口令字典或者从网上下载黑客字典
对于linux的使用者来说 GTK是要使用到的,请输入 ./xhydra
5.特别参数模块
---------------------------
通过第三个命令行参数(TARGET SERVICE OPTIONAL)或者-m参数,你可以传递一个参数到模块.
实际上只有很少一部分模块需要这样.
下面是这些模块的列表:
服务模块 可选择参数
============== =================================================
www / http / ssl / https
指定需要验证的页面(必须指定) "/secret" 或者
"http://bla.com/foo/bar" 或者"https://test.com:8080/members"
以上这几种写法都是有效的
http-proxy 指定需要验证的页面(可选,默认是http://www.suse.com/)
smbnt 有效值[L,LH,D,DH,B,BH](必须指定)
(L) 检测本地帐号, (D) 域名帐号, (B) 任意一个
(H) 使用 NTLM hashes 测试密码
ldap 指定DN(可选,你也可以使用-l参数指定DN)
cisco-enable 指定思科设备的登录密码(必须指定)
sapr3 指定客户端id,一个0-99之间的数字
telnet 如果你使用默认telnet密码破解多次失败你也可以指定telnet登录成功
以后的字符串(迟缓状态)(该项为可选)
下面的例子演示了 如何使用www模块传递网页去验证:
hydra -l jdoe -P /tmp/passlist www.attack.com http /members/
跟下面这个相同:
hydra -m /members/ -l jdoe -P /tmp/passlist www.attack.com http
另外一个例子:
hydra -m LH -l administrator -P sam.dump nt.microsoft.com smbnt
还有一个例子:
hydra -l gast -p gast -m 6 -s 3200 sapr3.sap.com sapr3
或者这样也行:
hydra -l bla -p blubb ms.com telnet "welcome hacker"
6.断点破解
---------------------------
当你使用 ctrl+c 中止hydra的破解时,他会把恢复破解的信息记录在hydra.restore文件内,以
方便你再次从中断点进行破解.hydra默认是每5分钟记录一次破解点.
注意事项1:当你在使用-M参数破解两个以上的主机密码的时候,这个功能会被自动关闭.
注意事项2:hydra.restore断点恢复破解文件 不可以使用在不同的系统平台上(译者:奇怪的规则
作者挺懒,也不搞个文件格式转换 呵呵)
7.如何使用代理服务器进行破解
----------------------------
HYDRA_PROXY_HTTP 变量参数可以用来定义代理服务器(只能使用http代理)
语法:
HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
如果你使用的代理需要用户名和密码,请使用HYDRA_PROXY_AUTH 变量参数:
HYDRA_PROXY_AUTH="the_login:the_password"
8.另外一些使用技巧
----------------------------
* uniq your dictionary files! this can save you a lot of time :-)
* 去除你字典里面重复的单词,这能使你省去很多时间。(译者:linux的uniq命令
参看http://www-900.ibm.com/developerWorks/cn/linux/l-tip-prompt/l-tiptex6/index.shtml)
cat words.txt | sort | uniq > dictionary.txt
* 如果你知道对方主机的密码制定策略,例如只允许密码最小长度为6,包含至少一个字母和数字
等等这些规则,你可以使用hydra压缩包里面的pw-inspector工具对密码字典进行缩减.
cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt
9.你永远不会在hydra看见的参数
-----------------------------------
在这部分我列出一些永远不会出现在hydra的参数里面以及解释为什么这样
? 填写登录名和密码按照标准输入(例如 john)
# 这种参数不会在hydra里面实现,原因有两个
a)断点续破的功能b)多个目标不能正常运行,诸如这些干扰正常功能的因数
所以我不会写这些参数进去
10.速度
----------------------------
由于该工具的并行运算功能,破解速度能够比已往更加快.速度:POP3>FTP>TELNET>IMAP
通过调整-t参数也能加快速度,参数值越大破解速度越快,但是要防止引起拒绝服务.
11.测试参考
----------------------------
运行系统:SuSE Linux 7.2 使用-C FILE参数 一共295次登录尝试(294次错误登录,1次成功)
每不同情况线程数测试尝试三次(只有一个线程时仅测试一次)平均值记录如下:
并 行 线 程
服务 1 4 8 16 32 50 64 100 128
------- --------------------------------------------------------------------
telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55*
ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32
pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50
imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21
(*)
注意:我们看到telnet的破解耗时在使用64线程和128线程的时候非常的不一样
当使用128线程破解的时候 我们共测试了四次,耗时由28秒至97秒不等
原因至今没有查明.
12.错误报告&建议
---------------
如果您发现这个软件的漏洞或者写了一些新的模块 可以发电子邮件给我们:
vh@thc.org
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
-----PGP密匙-----
Version: 2.6.3i
mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----PGP密匙-----
语法: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
[-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
server service [OPT]
参数列表:
-R 恢复上次停止的破解进度,继续破解
-S 使用SSL连接
-s PORT if the service is on a different default port, define it here
-s 端口号 在这里自定义要破解的端口号(替代默认端口)
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-l 登录名 或者 -L 字典 使用登录名 或者 从字典中获取登录名单
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-p 密码 或者 -P 字典 使用单个密码 或者 从字典中获取密码列表
-e ns 附加选项,n 是表示空密码,s 尝试使用密码进行破解
-C FILE colon seperated "login:pass" format, instead of -L/-P options
-C 文件 使用冒号分割格式 例如 "登录名:密码"来代替-L/-P参数
-M FILE server list for parallel attacks, one entry per line
-M 文件 服务器列表(译者:ip列表),一行一条
-o FILE write found login/password pairs to FILE instead of stdout
-o 文件 将找到的密码写在文件里面 以此代替输出到屏幕上
-f 在使用-M参数以后 找到第一对登录名或者密码的时候中止破解
-t TASKS run TASKS number of connects in parallel (default: 16)
-t 计划任务 同时运行几个任务(默认是: 16)
-w TIME defines the max wait time in seconds for responses (default: 30)
-w 时间 定义超时时间秒数(默认是: 30)
-v / -V 详细显示用户名或者密码的破解过程
server the target server (use either this OR the -M option)
服务器 服务器目标(译者:就是你要破解密码的主机) (你也可以使用-M参数指定)
service the service to crack. Supported protocols:
[telnet ftp pop3 imap smb smbnt http httpshttp-proxy cisco cisco-enable ldap
mssql mysql nntp vnc socks5 rexec snmp cvs icq pcnfs sapr3 ssh2 smtp-auth]
OPT some service modules need special input (see README!)
OPT 一些服务模块需要特别的语法输入(详细请看5.特别参数模块)
两个例子:
hydra -l login -P /tmp/passlist 192.168.0.1 ftp
login为要破解的用户名,passlist为密码字典库
hydra -l login -P passfile 192.168.0.1 smb
login为要破解的登录名,passfile为密码字典库,smb操作系统登录密码破解
FreeXploiT:ALLyeSNO
后记:
1.hydra 查词典的意思为 九头蛇
2.下面这段翻译的不大好 有人能帮我再修正一下么?
OPTIONS YOU WILL NEVER SEE IN HYDRA
-----------------------------------
In this section I put feature request which I will never implement within
hydra - and why.
? feeding login/passwords from stdin (e.g. from john)
# This will not be implemented as it would not be possible to use with
a) the restore functionality and b) multiple targets
workarounds for b) would be possible however ugly hacks which would
sometimes not work. As this feature will therefore will not fit the other
standard functionality, you will never see it here.
=========================================================
H Y D R A
(c) 2001-2004 by van Hauser / THC
<vh@thc.org> http://www.thc.org
INTRODUCTION
------------
Number one of the biggest security holes are passwords, as every password
security study shows.
This tool is a proof of concept code, to give researchers and security
consultants the possiblity to show how easy it would be to gain unauthorized
access from remote to a system.
THIS TOOL IS FOR LEGAL PURPOSES ONLY!
FOR USING THIS TOOL COMMERCIALLY, SEE THE LICENCE FILE!
There are already several login hacker tools available, however none does
either support more than one protocol to attack or support parallized
connects.
Currently this tool supports:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, LDAP, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth, Cisco enable,
SMTP-AUTH, SSH2, SNMP, CVS, Cisco AAA.
However the module engine for new services is very easy so it won't take a
long time until even more services are supported.
Planned are: SSH v1, Oracle and more.
Your help in writing these modules is highly appreciated!! :-)
HOW TO COMPILE
--------------
Type "./configure" and then "make" and "make install".
If you have CYGWIN, you have to follow the instructions "./configure" prints
after running.
For PalmPilot, run "./configure-palm".
For ARM processor mobiles, run "./configure-arm".
SUPPORTED PLATFORMS
-------------------
All UNIX platforms (linux, *bsd, solaris, etc.)
Mac OS/X
Windows with Cygwin (both ipv4 and ipv6)
Mobile systems with ARM processors and Linux (e.g. Zaurus, iPaq)
PalmOS
HOW TO USE
----------
Type "./configure", followed by "make" to compile hydra and then
"./hydra -h" to see the command line options.
You make also type "make install" to install hydra to /usr/local/bin.
Note that NO login/password file is included. Generate them yourself.
For Linux users, a GTK gui is available, try "./xhydra"
SPECIAL OPTIONS FOR MODULES
---------------------------
Via the third command line parameter (TARGET SERVICE OPTIONAL) or the -m
commandline option, you can pass one option to a module.
Only some modules actually use this, a few require this.
Here is the complete list:
service module optional parameter
============== =================================================
www / http / ssl / https
specifies the page to authentication at (REQUIRED)
Value can be "/secret" or "http://bla.com/foo/bar" or
"https://test.com:8080/members"
http-proxy specifies the page to authentication at (OPTIONAL,
default http://www.suse.com/)
smbnt value [L,LH,D,DH,B,BH] (REQUIRED)
(L) Check local accounts, (D) Domain Accounts, (B) Either
(H) interpret passwords as NTLM hashes
ldap specifies the DN (OPTIONAL, you can also specify the DN
as login with -l)
cisco-enable specifies the logon password for the cisco device (REQUIRED)
sapr3 specifies the client id, a number between 0 and 99 (REQUIRED)
telnet specified the string which is displayed after a successful
login (case insensitive), use if the default in the telnet
module produces too many false positives (OPTIONAL)
An example for how to use this with the www module to hand over the web page
to authenticate to:
hydra -l jdoe -P /tmp/passlist www.attack.com http /members/
is the same like:
hydra -m /members/ -l jdoe -P /tmp/passlist www.attack.com http
other example:
hydra -m LH -l administrator -P sam.dump nt.microsoft.com smbnt
still other example:
hydra -l gast -p gast -m 6 -s 3200 sapr3.sap.com sapr3
or
hydra -l bla -p blubb ms.com telnet "welcome hacker"
RESTORING AN ABORTED/CRASHED SESSION
------------------------------------
When hydra is aborted with Control-C, killed or crashs, it leavs a
"hydra.restore" file behind which contains all necessary information to
restore the session. This session file is written every 5 minutes.
NOTE: if you are cracking parallel hosts (-M option), this feature doesnt
work, and is therefore disabled!
NOTE: the hydra.restore file can NOT be copied to a different platform (e.g.
from little indian to big indian, or from solaris to aix)
HOW TO SCAN/CRACK OVER A PROXY
------------------------------
The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works
just for the http/www service!).
The following syntax is valid:
HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
For all other services, use the HYDRA_PROXY_CONNECT variable to scan/crack
via a web proxy's CONNECT call. It uses the same syntax. eg:
HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
If you require authentication for the proxy, use the HYDRA_PROXY_AUTH
environment variable:
HYDRA_PROXY_AUTH="the_login:the_password"
ADDITIONAL HINTS
----------------
* uniq your dictionary files! this can save you a lot of time :-)
cat words.txt | sort | uniq > dictionary.txt
* if you know that the target is using a password policy (allowing users
only to choose password with a minimum length of 6, containing a least one
letter and one number, etc. use the tool pw-inspector which comes along
with the hydra package to reduce the password list:
cat dictionary.txt | pw-inspector -m 6 -c 2 -n > passlist.txt
OPTIONS YOU WILL NEVER SEE IN HYDRA
-----------------------------------
In this section I put feature request which I will never implement within
hydra - and why.
? feeding login/passwords from stdin (e.g. from john)
# This will not be implemented as it would not be possible to use with
a) the restore functionality and b) multiple targets
workarounds for b) would be possible however ugly hacks which would
sometimes not work. As this feature will therefore will not fit the other
standard functionality, you will never see it here.
SPEED
-----
through the parallizing feature, this password cracker tool can be very
fast, however it depends on the protocol. The fastest is generally POP3,
then FTP, then Telnet, and the least IMAP.
Experiment with the task option (-t) to speed thinks up! The higher - the
faster ;-) (but too high, and it disables the service)
STATISTICS
----------
Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing
295 entries (294 tries invalid logins, 1 valid). Every test was run three
times (only for "1 task" just once), and the average noted down.
P A R A L L E L T A S K S
SERVICE 1 4 8 16 32 50 64 100 128
------- --------------------------------------------------------------------
telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55*
ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32
pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50
imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21
(*)
Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with
128 tasks, running four times resulted in timings between 28 and 97 seconds!
The reason for this is unknown...
guesses per task (rounded up):
295 74 38 19 10 6 5 3 3
guesses possible per connect (depends on the server software and config):
telnet 4
ftp 6
pop3 1
imap 3
BUGS & FEATURES
---------------
Email me if you find bugs or if you have written a new module.
vh@thc.org
Type Bits/KeyID Date User ID
pub 2048/CDD6A571 1998/04/27 van Hauser / THC <vh@reptile.rug.ac.be>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzVE0A4AAAEIAOzKPhKBDFDyeTvMKQ1xx6781tEdIYgrkrsUEL6VoJ8H8CIU
SeXDuCVu3JlMKITD6nPMFJ/DT0iKHgnHUZGdCQEk/b1YHUYOcig1DPGsg3WeTX7L
XL1M4DwqDvPz5QUQ+U+VHuNOUzgxfcjhHsjJj2qorVZ/T5x4k3U960CMJ11eOVNC
meD/+c6a2FfLZJG0sJ/kIZ9HUkY/dvXDInOJaalQc1mYjkvfcPsSzas4ddiXiDyc
QcKX+HAXIdmT7bjq5+JS6yspnBvIZC55tB7ci2axTjwpkdzJBZIkCoBlWsDXNwyq
s70Lo3H9dcaNt4ubz5OMVIvJHFMCEtIGS83WpXEABRG0J3ZhbiBIYXVzZXIgLyBU
SEMgPHZoQHJlcHRpbGUucnVnLmFjLmJlPokAlQMFEDVE0D7Kb9wCOxiMfQEBvpAD
/3UCDgJs1CNg/zpLhRuUBlYsZ1kimb9cbB/ufL1I4lYM5WMyw+YfGN0p02oY4pVn
CQN6ca5OsqeXHWfn7LxBT3lXEPCckd+vb9LPPCzuDPS/zYnOkUXgUQdPo69B04dl
C9C1YXcZjplYso2q3NYnuc0lu7WVD0qT52snNUDkd19ciQEVAwUQNUTQDhLSBkvN
1qVxAQGRTwgA05OmurXHVByFcvDaBRMhX6pKbTiVKh8HdJa8IdvuqHOcYFZ2L+xZ
PAQy2WCqeakvss9Xn9I28/PQZ+6TmqWUmG0qgxe5MwkaXWxszKwRsQ8hH+bcppsZ
2/Q3BxSfPege4PPwFWsajnymsnmhdVvvrt69grzJDm+iMK0WR33+RvtgjUj+i22X
lpt5hLHufDatQzukMu4R84M1tbGnUCNF0wICrU4U503yCA4DT/1eMoDXI0BQXmM/
Ygk9bO2Icy+lw1WPodrWmg4TJhdIgxuYlNLIu6TyqDYxjA/c525cBbdqwoE+YvUI
o7CN/bJN0bKg1Y/BMTHEK3mpRLLWxVMRYw==
=MdzX
-----END PGP PUBLIC KEY BLOCK-----