FTP and TELNET Password Cracking with THC Hydra

Password is the only thing which protects secure information on the network systems. If we want to access secure information, we must be an authorize member of the system or network.  According to many password security study passwords are the biggest security holes . If any unauthorized managed to get the right password, he will be able to access the secure data on the system.

Although many security systems try to improve security by various methods but there are some tools which always break the security easily. THC Hydra is the tool which shows how easy it is to gain the unauthorized access of a network system from remote to a system.

This is not the only tool which can crack FTP or Telnet passwords of a remote computer. There are various tools available which can do this job and those also supports various protocols and use parallel connection to crack. But THC Hydra is the best and known for its speed and efficiency.

THC Hydra performs brute force attack based on password dictionary.

Bruteforce Attack: Bruteforce attack is the most widely used attack for password cracking. This attack uses all possible permutations of passwords until the correct password is found.

For example: If the password is 3 characters long and consists of both letters and numbers. Then a brute force attack will use 2,38,328 different password at your password.

For First character: total lower case letters (26) + total upper case letters (26) + total numbers (10) = 62

For Second character: same = 62

For Third character: same = 62

Total permutations = 62*62*62 = 2,38,328

About THC Hydra: Before knowing about the password cracking with this tool, you must know few things about this tool.

THC Hydra is the fast network logon cracker. It connects with multiple parallel connections to the remote systems and then starts its attack. It is able to crack passwords of various kinds of services.

If we compare this tool with other available logon password crackers, this tool supports more services and protocols. And it is faster than other tools.

List of Protocols, THC Hydra supports: These are the protocols which this tool supports. We can crack password of these services with this nice logon cracker.

AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP, SOCKS5, SSH (v1 and v2), Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Supported Platforms: This network logon cracker is available for most of the available platforms. This is the list:

·         All UNIX platforms (linux, *bsd, solaris, etc.)

·         Mac OS/X

·         Windows with Cygwin (both ipv4 and ipv6)

·         Mobile systems based on Linux or Mac OS/X (e.g. Android, iPhone, Zaurus, iPaq)

Hydra Explaind and its usage:

For command line usage, we will use following command:

$ hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV] server service [OPT]

Here different argument has different meaning. Read the meaning of these command line arguments below:

-R

It is used to restore a previous aborted/crashed session

-S

connect via SSL to the target system

-s

if the service is on a different default port, define it here. Write –s before the port.

-l or -L

login with LOGIN name, or load several logins from FILE. Be sure for case of l in both argument. Small for username ad capital for username list file.

-p or -P

try password PASS, or load several passwords from FILE. Same case for p will be applied here. If you want to try single password use small p. But use capital P for the password list.

-e

additional checks, "n" for null password, "s" try login as pass

-C

colon seperated "login:pass" format, instead of -L/-P options. This file will have colon seperated login and password. This is also a better idea to use.

-M

server list for parallel attacks, one entry per line

-o

It will write found login/password pairs to FILE instead of stdout.

-f

This argument will exit after the first found login/password pair (per host if -M). It will not check for any other combinattion which may be matched if we are using username list and password list together.

-t

run TASKS number of connects in parallel (default: 16)

-w

defines the max wait time in seconds for responses (default: 30)

-v / -V

verbose mode / show login+pass combination for each attempt

server

the target server (use either this OR the -M option)

service

the service to crack. Supported protocols: telnet ftp pop3[-ntlm] imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5 rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere teamspeak sip vmauthd firebird ncp afp

How to crack Telnet password with THC Hydra:

First of all download, Hydra from the official website. If you are using windows Version, you will have to work on console. These are no GUI for windows users. I am showing it on windows. Download the zip file and extract it on the system.

Now follow these steps:

Click on start and type CMD in search bar (in windows 7) and open command prompt.

Now change the command prompt location to the hydra folder by using CD command.

Figure 1: THC Hydra

Now we will execute the hydra by typing hydra.exe in the command prompt

Figure 2: Running Hydra For First Time

Now we need to select the target computer. At this moment we can use Nmap for scanning IP and open ports. So download the Nmap in your system. Windows users should download windows version. After downloading Nmap, scan for IP range. Also check for open ports in these IP addresses.

How to Use Nmap?

Use of Nmap is really simple. If you do not know, I am writing something in short which will help you.

Suppose I am in a network which has IP series of 192.168.0.x and I want to break into the telnet of a system in this network. I will use Nmap to find my target system.

First of all, we will scan to check which systems are alive on the network. Use Nmap for simple ping and get the list of all systems alive on the network. Use this command:

nmap -sP 192.168.0.1-10

now see the results of this ping scan. You will get the list of ip addresses of all systems which are alive. These systems can be used as target so I will pick one from the list.

I have chosen the system with ip address 192.168.0.7

Now we will check whether the TELNET port is open in the target computer or not. So use this command for simple port scan:

nmap -sS -sV -P 0 -T5 -O 192.168.0.7

This command will show all running service on the target computer. If Telnet service is running on the target system, we are ready for the attack, otherwise we will have to select another computer for the attack.

After selecting the target, we will start attack on it. After knowing that Telnet port is open we will use Hydra to attack on it.

There are two things we need to have before the attack. Username list and a password list. Username list is being used in case we do not know the username. Password list will be the possible list of passwords which will be used by hydra for brute forcing.

Case 1: Suppose we know the username. Let us assume that the username for the target telnet is admin.

Now we will use the command to run the attack.

hydra -l admin -P passlist.txt 192.168.0.7 telnet

Figure 3: attacking on Telnet of target system with username Admin

Here passlist.txt is the list of possible passwords. Hydra will use each password for the selected username and will try to login. If a password from the list is matched, it will stop the scanning and show the username and password combination for the target telnet.

Figure 4: Cracked password for the username admin

If no password from the passlist.txt matched with the username, it will simply stop scan.

In case, you want to save the scan results into a file, you will have to change the command and add the name of the output file into command line argument.

hydra -l admin -P passlist.txt -o test.txt 192.168.0.7 telnet

This command will save the result to the output file test.txt.

Case 2: In case you do not know the username, you can use the guess list of username along with the password list. Now we will use the command to run the attack.

hydra -L username.txt -P passlist.txt 192.168.0.7 telnet

Here username.txt is the guess list for possible usernames for the target admin and passlist.txt is the guess list for possible passwords.

To save the result into a output file we will use the similar command as I have already written. The only difference is that we will pass username list here.

hydra -L username.txt -P passlist.txt -o test.txt 192.168.0.7 telnet

Here: One thing to Note that using username and password list change one thing in the command which is not noticeable for all users. When I have executed the command for a single username, I used –l admin but I use -L username.txt when I used a list. Here see the difference between –L and-l. When use a single username, use small case of l but use capital L when use username list.

If you are on Ubuntu or any other linux based operating system, this tool will be more easy to use. This tool comes with a nice GUI for Linux based operating systems. So you will not need to learn hydra commands for them. Working is similar and commands are executed in background of GUI.

This was the short demonstration of Telnet password cracking with the use of HYDRA network logon cracker.

How to crack FTP password with THC Hydra:

In previous section, I wrote about cracking Telnet password with Hydra. As I already told that this is a network logon cracker and it supports many network protolcols. So it is used to cracked most of the network login. Cracking FTP password is also the same as cracking telnet password.

You just need to find the target system with FTP port open. And then use hydra to crack password with password dictionary. If you are not sure about the username, you can use username dictionary along with password dictionary.

Now we will use the command to run the attack.

hydra -l admin -P passlist.txt 192.168.0.7 ftp

You can see that the command is similar. Only I have replaced the Telnet with ftp to tell Hydra that it has to attack on ftp port this time. You can change the target system IP accordingly. You can also use admin list as given below.

hydra –L username.txt -P passlist.txt 192.168.0.7 ftp

All other things are similar. And you can replace this ftp to any other supported protocol.

How to protect against Hydra attack: Protection against these kind of Buteforcing attack is divided into three parts

·         Always check your logs against suspicious activity. Log files will help to know more about the attacker.

·         Always use strong password with good length. Use both cases, number and a special characters.

·         Always restrict few number of invalid login and then block the login from that IP.

Conclusion: THC Hydra is really a nice and effective networ logon cracker. It is best among all available network logon cracker tools. It is also used dictionary based attack with multiple connection at a time which makes it faster. So always use strong password which is hard to crack. If you will use a strong password with use of capital and small letters, numbers and special characters. These kind of passwords are really hard to crack as it makes more number of permutations. You can also setup server restriction. In this, you can disallow login after 3 invalid login. This will block bruteforce attack.

credits:http://www.hackingtricks.in/