Hacking

Online dictionary attack with Hydra

September 13, 2013 by Dawid Czagan

When an attacker wants to learn credentials for an online system, he can use brute force or a dictionary attack. This article introduces these two types of attack and explains how to launch an online dictionary attack using Hydra.

Brute force vs. dictionary attack

An attacker can try every possible password combination (brute force approach). The advantage is guaranteed success in finding the right password. The drawback is that it is a very time-consuming process.

It’s probable that a typical user is frustrated about password best practices and uses a pattern for the password (for example a common word and a digit appended at the end). Then the attacker can build a set of common words concatenated with a digit (an exemplary pattern in the dictionary) and try every combination from this set. This approach (dictionary attack) can save the attacker’s time, because he doesn’t have to brute-force the whole key space. The disadvantage is that there is no guarantee that the right password will be found. However, the probability of hitting the right password is quite good, taking into account the passwords people often choose.

Environment

Hydra is described as a network logon cracker that supports many services [1]. This article explains how to use Hydra to launch an online dictionary attack against FTP and a web form.

Metasploitable is a Linux-based virtual machine that is intentionally vulnerable [2]. It can be used, for example, to practice penetration testing skills. Please remember that this machine is vulnerable and should not operate in bridge mode.

DVWA (Damn Vulnerable Web Application) is a web application that is intentionally vulnerable [3]. It is helpful for those who want to play with web application security stuff. DVWA is part of Metasploitable.

Dictionaries

Let’s create two short dictionaries for the simplicity of description.

List of users (list_user):

[plain]
admin_1
admin
msfadmin
[/plain]

List of passwords (list_password)

[plain]
password_1
password
msfadmin
password_2
[/plain]

There are 12 combinations to check (3 users times 4 passwords). These combinations include default credentials for DVWA login form and Metasploitable FTP (admin/password for DVWA login form; msfadmin/msfadmin for Metasploitable FTP).

Metasploitable — Dictionary attack on FTP

Use the following command to launch the attack:

[plain]
dawid@lab:~$ hydra -L list_user -P list_password 192.168.56.101 ftp -V
[/plain]

The aforementioned dictionaries (list_user and list_password) are used. The IP address of Metasploitable FTP server is 192.168.56.101. FTP is attacked. That’s why ftp module is used in the command. One should use -V to see username and password for each attempt.

As we can see below, Hydra has found one valid pair of username and password (username: msfadmin, password: msfadmin).

DVWA — Dictionary attack on login form

Use the following command to launch the attack:

[plain]
dawid@lab:~$ hydra -L list_user -P list_password 192.168.56.101 http-post-form “/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed” -V
[/plain]

The aforementioned dictionaries (list_user and list_password) are used again. The IP address of DVWA is 192.168.56.101. The login form of DVWA is available in Metasploitable at 192.168.56.101/dvwa/login.php. When the user logs in, the following request is generated (intercepted by Burp Suite [4]):

The key parts were marked on the screenshot. They are the values of the parameters of http-post-form module:

[plain]
“/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed”
[/plain]

^USER^ and ^PASS^ are replaced with usernames (from list_user) and passwords (list_password) respectively. When the login attempt is unsuccessful, the server responds with a “Login failed” message, which is the value of the last parameter.

Finally, one should use -V to see username and password for each attempt.

As we can see below, Hydra has found one valid pair of username and password (username: admin, password: password).

Summary

This article introduced two types of online password attack (brute force, dictionary) and explained how to use Hydra to launch an online dictionary attack against FTP and a web form. Hydra is a network logon cracker that supports many services [1]. Metasploitable can be used to practice penetration testing skills [2]. DVWA (Damn Vulnerable Web Application) is helpful for those who want to play with web application security stuff [3].

Sources

  • Hydra (access date: 7 September 2013)
  • Metasploitable (access date: 7 September 2013)
  • DVWA (Damn Vulnerable Web Application – access date: 7 September 2013)
  • Burp Suite (access date: 7 September 2013)
Posted: September 13, 2013
Articles Author
Dawid Czagan
View Profile

Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings. Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing. Dawid shares his bug hunting experience in his workshop entitled "Hacking web applications - case studies of award-winning bugs in Google, Yahoo, Mozilla and more". To find out about the latest in Dawid's work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).

4 responses to “Online dictionary attack with Hydra”

  1. Mr.Lonely says:

    Thanks for sharing~

    But how can you handle this:

    Wrong syntax, requires three arguments separated by a colon which may not be null: /admin/index.asp

    but this URL is reachable.

  2. mnana says:

    manana

  3. alfonsoi says:

    mmmm i want to remove hydra, how do i do it?

  4. AleX says:

    Thanks mate, but I get an error.. any ideas?

Leave a Reply

Your email address will not be published. Required fields are marked *