I installed Hydra on my machine to scan an SSH server, this was not too hard.
I downloaded the source via GIT this way.
(jcartwright@localhost) 192.168.1.5 Documents $ git clone https://github.com/vanhauser-thc/thc-hydra.git
Cloning into 'thc-hydra'...
remote: Enumerating objects: 3603, done.
remote: Counting objects: 100% (1388/1388), done.
remote: Compressing objects: 100% (193/193), done.
remote: Total 3603 (delta 1262), reused 1225 (delta 1195), pack-reused 2215
Receiving objects: 100% (3603/3603), 3.30 MiB | 5.49 MiB/s, done.
Resolving deltas: 100% (2447/2447), done.
If all prerequisites are installed such as libssh and libidn-devel, then cd into the directory and run the configure script to check all requisite packages are installed.
(jcartwright@localhost) 192.168.1.5 thc-hydra $ ./configure
Starting hydra auto configuration ...
Detected 64 Bit Linux OS
Checking for zlib (libz/zlib.h) ...
... found
Checking for openssl (libssl/libcrypto/ssl.h/sha.h) ...
... found
Checking for gcrypt (libgcrypt/gpg-error.h) ...
... gcrypt not found, radmin2 module disabled
Checking for idn (libidn) ...
... found
Checking for curses (libcurses/term.h) ...
... found, color output enabled
Checking for pcre2 (libpcre/pcre.h) ...
... found
Checking for Postgres (libpq/libpq-fe.h) ...
... NOT found, module postgres disabled
Checking for SVN (libsvn_client-1/libapr-1/libaprutil-1) ...
... NOT found, module svn disabled
Checking for firebird (libfbclient) ...
... NOT found, module firebird disabled
Checking for MYSQL client (libmysqlclient/math.h) ...
... NOT found, module Mysql will not support version > 4.x
Checking for AFP (libafpclient) ...
... NOT found, module Apple Filing Protocol disabled - Apple sucks anyway
Checking for NCP (libncp/nwcalls.h) ...
... NOT found, module NCP disabled
Checking for SAP/R3 (librfc/saprfc.h) ...
... NOT found, module sapr3 disabled
Get it from http://www.sap.com/solutions/netweaver/linux/eval/index.asp
Checking for libssh (libssh/libssh.h) ...
... found
Checking for Oracle (libocci/libclntsh/oci.h/libaio/liboci) ...
... NOT found, module Oracle disabled
Get basic and sdk package from http://www.oracle.com/technetwork/database/features/instant-client/index.html
Checking for Memcached (libmemcached/memcached.h) ...
... NOT found, module memcached disabled
Checking for Freerdp3 (libfreerdp3/freerdp.h/libwinpr3/winpr.h) ...
... NOT found, checking for freerdp2 module next...
Checking for Freerdp2 (libfreerdp2/freerdp.h/libwinpr2/winpr.h) ...
... NOT found, module rdp disabled
Checking for Mongodb (libmongoc-1.0/mongoc.h/libbson-1.0/bson.h) ...
... NOT found, module mongodb disabled
Checking for smbclient (libsmbclient/libsmbclient.h) ...
... NOT found, module smb2 disabled
Checking for GUI req's (pkg-config/gtk+-2.0) ...
... NOT found, optional anyway
Checking for Android specialities ...
... strrchr() found
... RSA_generate_key() found
Checking for secure compile option support in gcc ...
Compiling... yes
Linking... yes
Checking for --allow-multiple-definition linker option ... yes
Hydra will be installed into .../bin of: /usr/local
(change this by running ./configure --prefix=path)
Writing Makefile.in ...
now type "make"
Then once this finishes and there are no problems, run ‘make’ to build the source code.
(jcartwright@localhost) 192.168.1.5 thc-hydra $ make
After, this install to /usr/local/bin this way.
[root@localhost thc-hydra]# make install Now type make install strip hydra pw-inspector echo OK > /dev/null && test -x xhydra && strip xhydra || echo OK > /dev/null mkdir -p /usr/local/bin cp -f hydra-wizard.sh hydra pw-inspector /usr/local/bin && cd /usr/local/bin && chmod 755 hydra-wizard.sh hydra pw-inspector echo OK > /dev/null && test -x xhydra && cp xhydra /usr/local/bin && cd /usr/local/bin && chmod 755 xhydra || echo OK > /dev/null sed -e "s|^INSTALLDIR=.*|INSTALLDIR="/usr/local"|" dpl4hydra.sh | sed -e "s|^LOCATION=.*|LOCATION="/etc"|" > /usr/local/bin/dpl4hydra.sh chmod 755 /usr/local/bin/dpl4hydra.sh mkdir -p /usr/local/etc cp -f *.csv /usr/local/etc mkdir -p /usr/local/man/man1/ cp -f hydra.1 xhydra.1 pw-inspector.1 /usr/local/man/man1/ mkdir -p /usr/local/share/pixmaps cp -f xhydra.png /usr/local/share/pixmaps/ mkdir -p /usr/local/share/applications desktop-file-install --dir /usr/local/share/applications xhydra.desktop [root@localhost thc-hydra]#
Now the program is installed and working, I can use it right away.
(jcartwright@localhost) 192.168.1.5 thc-hydra $ hydra
Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [-m MODULE_OPT] [service://server[:PORT][/OPT]]
Options:
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-C FILE colon separated "login:pass" format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ':' to specify port
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-U service module usage details
-m OPT options specific for a module, see -U output for information
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cobaltstrike cvs ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql(v4) nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs.
Licensed under AGPL v3.0. The newest version is always available at;
https://github.com/vanhauser-thc/thc-hydra
Please don't use in military or secret service organizations, or for illegal
purposes. (This is a wish and non-binding - most such people do not care about
laws and ethics anyway - and tell themselves they are one of the good ones.)
Example: hydra -l user -P passlist.txt ftp://192.168.0.1
You need a wordlist for this to break passwords. Use the rockyou2021.txt file to have a large enough wordlist. Here is a magnet link for a very large wordlist.
magnet:?xt=urn:btih:4920c210b30de7bec53b35266bd3e77ece1a75fe&dn=rockyou2021.txt%20dictionary%20from%20kys234%20on%20RaidForums&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A6969%2Fannounce&tr=udp%3A%2F%2Fexodus.desync.com%3A6969%2Fannounce&tr=udp%3A%2F%2Fwww.torrent.eu.org%3A451%2Fannounce&tr=udp%3A%2F%2Ftracker.torrent.eu.org%3A451%2Fannounce&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337%2Fannounce&ws=https%3A%2F%2Fgetright.tweedge.net%2F
Use 7zip to unpack this wordlist.
(jcartwright@localhost) 192.168.1.5 rockyou2021.txt dictionary from kys234 on RaidForums $ 7z x rockyou2021.txt.7z.001
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=C.UTF-8,Utf16=on,HugeFiles=on,64 bits,12 CPUs Intel(R) Core(TM) i5-10400F CPU @ 2.90GHz (A0655),ASM,AES-NI)
Scanning the drive for archives:
1 file, 9000000000 bytes (8584 MiB)
Extracting archive: rockyou2021.txt.7z.001
--
Path = rockyou2021.txt.7z.001
Type = Split
Physical Size = 9000000000
Volumes = 2
Total Physical Size = 13644753861
----
Path = rockyou2021.txt.7z
Size = 13644753861
--
Path = rockyou2021.txt.7z
Type = 7z
Physical Size = 13644753861
Headers Size = 138
Method = LZMA2:24
Solid = -
Blocks = 1
Everything is Ok
Size: 98378212907
Compressed: 13644753861
7zip is very slow on Linux, but eventually, it will be unpacked.
Download a lot of useful wordlists here: https://wiki.skullsecurity.org/index.php/Passwords.
Unpack a wordlist like this.
(jcartwright@localhost) 192.168.1.5 Hydra $ bzip2 -d rockyou.txt.bz2
(jcartwright@localhost) 192.168.1.5 Hydra $ bzip2 -d rockyou.txt.bz2
But to use Hydra to attack an SSH server, use it like this.
(jcartwright@localhost) 192.168.1.5 Hydra $ hydra -l johann -P rockyou2021.txt ssh://localhost
Hydra v9.6dev (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-01-31 11:40:31
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
This will take a long time to run, but if the password is in the wordlist, the attack will succeed.
. SSH Server Behavior:
- Most SSH servers don’t reveal whether a failed login attempt is due to an incorrect username or password. They simply provide a generic “authentication failed” message.
- This makes it difficult for attackers to distinguish between invalid usernames and invalid passwords, slowing down the brute-forcing process.
2. Username Space:
- The possible username space is often smaller and more predictable compared to password possibilities.
- Attackers can often narrow down potential usernames based on common patterns (e.g., firstname.lastname, admin, root), making brute forcing less time-consuming.
3. Tools for Username Brute Forcing:
- While tools like Hydra and Nmap’s ssh-brute script primarily focus on password brute force, they can be configured to brute force usernames as well.
4. Strategies:
- Targeted Username Lists: Attackers might create custom username lists based on information gathered about the organization or individuals involved.
- Combining with Password Brute Forcing: Attackers might try a small set of common usernames with a larger password list to increase efficiency.
5. Countermeasures:
- Account Lockout: Servers often implement lockout mechanisms after a certain number of failed login attempts, hindering brute-forcing attempts.
- Fail2Ban: This tool blocks IP addresses after repeated failed login attempts, further deterring attacks.
- Strong Password Policies: Enforce strong password policies to make brute forcing passwords more difficult, even if a username is discovered.
- Two-Factor Authentication: Require two-factor authentication to add an extra layer of security, even if valid credentials are compromised.
Ethical Considerations:
- It’s crucial to only attempt brute forcing on systems you have explicit permission to test. Unauthorized brute-forcing attempts are illegal and unethical.