Hydra the right program for the task?

[revelryOcelot]

Alright. So here's the sit-rep. We have a test scada system that we are working on at my college. I have the privilege playing with it. I'm new to bt and most forms of hands-on security testing. My teacher wants us to see if we can crack the website's login page. I was thinking that maybe hydra would do the trick but has been unsuccessful (assuming I'm using it correctly). Now, I read that Hydra is a "Network Logon" cracker and supports http/https. That would make me infer that it can crack website logins, but more to make me think only the ones that prompt you for your creds instead of an actual login page.

Is this correct? If I'm wrong, does that mean Hydra can do it? If not, which of the programs will (assuming it's possible)?

I've already looked through and searched a summary of each program and only really found a couple that I deemed suited for the task. Needless to say, I've had no luck with any.

[bofh28]

Depending on what the SCADA system controls I would be VERY careful. I would never try to pentest a water treatment plant without having it fully staffed and everyone informed that the electronics may go haywire and having away to quickly reset everything to normal. I have run too many nmap scans that caused old and poorly designed equipment/software to freak out and send out bad data or worse stop responding i.e. showing a water tank full when it has been emptying for an hour. SCADA systems are way too fragile to play with. Your best defense is to put the SCADA system on its own private and physical network. What I mean is a network that is not in anyway shape or form plugged into equipment that has any non SCADA equipment on it. And make sure it is NOT internet accessible. If it is an absolute requirement that the SCADA system be remotely controlled, use a VPN, two factor authentication, and at least 2 hardware firewalls to get to the SCADA network. I have never seen a SCADA system that could function properly with a software firewall installed on it.

[snafu777]

bofh28

Alright. So here's the sit-rep. We have a test scada system that we are working on at my college.

He's not doing a real SCADA.

revelryOcelot,

yes, hydra will do that for you quite well. I've used it in situations like that before. It took me some googling to find the answer, but I'm happy to share with you how I use hydra to crack default admin passwords for a router test. The following assumes the login page is http://192.168.1.1/index.asp

Code:

hydra 192.168.1.1 -L [usernames file] -P [password file] -t 1 -e ns -V -f http-get /index.asp

-or- the colonized way where username/passwords are in one file..ie

admin:pass
bob:salay
foo:dung

hydra 192.168.1.1 -C [colon file]-t 1 -e ns -V -f http-get /index.asp

[revelryOcelot]

Thanks for the info! It's helped. The command I've tried is

Code:

hydra <ip> -s <port> -P <password file>  -l <user> -V -f http-get /index.htm -t 5

It stops at the first password in the file and says it's the valid pair, when it's by all means not. Why would it do that? Another thing that gets me is if you do a "man hydra", it shows the services that it supports. When I run some of those services (e.g. http-form-post), it gets mad and says "Unknown Service". Maybe I have a bad version? It's the one that came with bt5 though.

[Dudeman02379]

check out this link insidetrust.com: Using Hydra to dictionary-attack web-based login forms begin reading at "Web-based login forms prerequisites"

[revelryOcelot]

check out this link insidetrust.com: Using Hydra to dictionary-attack web-based login forms begin reading at "Web-based login forms prerequisites"

Wow, that's helped out a lot. Thank you.