Time
9 minutes
Difficulty
Intermediate

Video Transcription

00:04
Hello and welcome to another episode of breaking stuff with Robert today. We're going to be going over th see hydra.
00:14
Now, during this very brief lesson, what we hope to do is provide you with a high level overview of Hydra and what its capabilities on what it can do and provide you with a demo of how the tool is used in a live environment.
00:29
Now everyone is welcome to attend and check this course out. But for those of you that our network administrators, you may be familiar with the newness standards on password policies and how we can now, you know, set him up a certain way that they never have to be changed again. But caveat. There you have to do testing for weak passwords in the form of
00:49
brute forcing credentials or testing hashes things of that nature.
00:53
So having this tool in your back pocket would definitely be helpful. Their exploitation analysts, looking to recreate password attacks for review purposes definitely could benefit from using this tool. Cyber defense analysts that want to create signatures for brute force attacks or that maybe want to create mall data for training purposes. This is a great tool to use as well,
01:12
and then penetration testers looking too
01:15
test multiple systems for known credential stets. This is a great tool to use as well. You can target multiple systems at a time with a list of user names and list of passwords. So if you're going to like an environment that uses Cisco or Palo Alto or Dell Hardware, whatever the case may be,
01:34
you can create user name lists and password list against those
01:40
known credential sets and then do some testing there.
01:44
Now, while you don't have to actually have any prior knowledge to watch this demonstration, it definitely is beneficial to have a fundamental knowledge of brute force attacks and how those work a fundamental knowledge of protocols such as sshh, FTP and how those can be accessed
02:00
using, like the command line or ah, going to whatever the case may be there and then some fundamental knowledge of in map and basic port scanning techniques.
02:12
The reason being is we're going to go pretty quick through the demonstration. I'm going to show you some data points as to how we came to start attacking this particular system,
02:21
but I'm not going to give you all of the nitty gritty steps on how we went through that and did that today. So with that in mind, let's go ahead and jump into our demo environment.
02:31
All right, everybody, welcome to the demo environment. We have got our very powerful *** machine here ready to do our bidding. So today, as we said, we're going to be looking at Hydra now. I've already done in maps can to get some information pulled up here about the Medicis floatable box.
02:52
Now, for those of you that do security testing, contesting things, that nature for living,
02:57
there are easier ways to get into the box. I mean, I'm not gonna point anything out here or, you know, make anything too obvious, but, you know, brute. Forcing this stuff right out the gate probably isn't the easiest way in. But we're doing a demonstration here. Not, you know, actually, testing the security of this box and trying to get into it is easily as possible. So
03:16
with that in mind, let's go ahead and tighten Hydra. And over here on the right,
03:21
And as you can see here, we get some syntax for the tool as well as an example down here at the bottom. That's pretty clean. Now.
03:30
I'm not personally, This is personal preference. I'm not a fan of using Dash L and Dash P to do one offs, like, If you know, like you get a username through information gathering and then you don't know the password, then that's that's good to use the dance show. But if you're just right out the gate, have no information. I would try to get a valid user name first,
03:50
but if you're in the dark and you don't know what the user names are at all for the environment than the dash, L
03:57
switch here is going to be your friend so that you can pull from a list of user names that you can create and a list of passwords also used. Like to use the dash T switch here to run multiple tasks at a time so that we can get through the process as quickly as possible.
04:15
And then, in this instance, I'm gonna use Dash on to skip recovery, foul
04:18
brewed up attempts or what have you, because that usually adds about 10 seconds, and I've been messing around with this thing prior to the demo. So let's go ahead and jump right in and mount an attack against our demo box here, the Medicis portable box. So
04:34
we're gonna use Dash l again. And we've got a custom word list here that we've put together
04:40
for this demo, and it lives in a wordless directory under the Menace Point directory. Thanh of Word lists pre built into this
04:47
that you can use for testing purposes. Someone's already done the heavy lifting for you. But if you want to create your own word lists again, if you go into a Cisco environment or a dental based environment or anything of that nature where there's common passwords and user names on the Internet, you can create a quick custom word list and run that through the environment.
05:08
Another thing that I like about the tool is you can use the Dash
05:12
capital M switch, which will allow you to attack multiple systems at a time, and that could be very beneficial. If you're trying to distribute your workload kind of evenly and you wanna do multiple things at a time and not attack one system, come back, attack one systems you can use dashi m and create a list there to attack multiple systems at a time.
05:31
And I can't apparently talking type at the same time either. So let's go ahead and get our password
05:39
list put up here.
05:42
And then we're going to use Dash T four for four tasks there to skip and were attacking the SS H Protocol as discovered, wither in maps can. So let's go ahead and put in our P address.
05:57
Looks like I'm having that would go
06:00
Get away from me for some reason.
06:01
On 1 30 go ahead and let that flight. Now we get pretty quick hits here. But if you're doing, you know, brute forcing and you don't have prior knowledge of the environment, it can take a really, really long time for this tool to run, depending on how beefy your machine is. In this case again, we crafted some custom
06:21
easier name lists and password list so that we can get some outputs pretty quick and show you how this looks. So it tells you the number of valid passwords found, and then it gives you each user name and each password.
06:33
So, um, if you want it to go ahead and do some testing. You can go ahead and try to get into the box using, let's say user in this case.
06:45
And then we will go to our
06:48
menace Portable box here
06:58
125.1 30
07:02
and then we're using users the password and that gets us in. So I am user.
07:10
I am at the box that I am attacking. And so we're in. And from here you can start to investigate the folder structure, look for sensitive information and maybe make some additional movement into wth e organization from that point.
07:25
So with that in mind, one other thing I'd like to show you that's pretty cool here that you can do in your test. If you need to keep track of your documentation, which I always recommend you do, you can just do a quick pipe thio your desktop.
07:43
You can do a hits or something like that, T X T,
07:46
and this will just output to a file for you instead.
07:50
And once it finishes running,
07:53
it'll, uh,
07:55
let you know,
07:57
and then you can open up that file for later use
08:01
and have your recorded user name and password zzzz. Well, a CZ when you ran the tool when the tool finished very, very good practice with respect to doing your security tests and keeping track of when you scan something, when you finish scanning something
08:16
and what hits you got so that you always have evidence and you get into the habit of keeping good documentation.
08:22
So let's go ahead and jump back over to our slides.
08:28
All right, everybody. So that was a pretty quick demo today of T H C Hydra Hydra for short. I hope you enjoyed the demo, and I hope you walk away with this with a new perspective on some things that you can do with the tool again. We didn't go into all of the details of the tool in all of the switches, so there are a lot of things that this tool does that we didn't cover here today.
08:46
But at a high level, you should know now that you can automate
08:50
brute forcing across multiple machines or systems within an environment,
08:54
and you can use either custom generated or previously generated or even system generated user name and password lists. So this is a very good tool to take that burden of brute forcing off of you, and it keeps you from having to do once he Tuesday's throughout the environment.
09:11
Now, don't forget that we do have some supplemental material attached to this video, so please
09:16
look below for the link and download our reference document for Teach the Hydra. It's just a quick reference of some of the use cases description and some of the syntax that we used here in this video today. So I want to thank you for your time, and I look forward to seeing you again.

How to Use THC-Hydra (BSWR)

THC-Hydra offers brute force passwords, cracking and can perform rapid dictionary attacks against many protocols. The tool can utilize a password list, for example, the ‘Rockyou.txt’ password list or create your own. The THC-Hydra tool offers flexibility to add new modules to it and works across multiple platforms including Linux, MacOS, Windows.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor