1
00:00:00,420 --> 00:00:08,060
Hydra is a free and open source command line tool to crack valid log in password pairs online.

2
00:00:09,090 --> 00:00:12,660
It's very fast and flexible and new modules are easy to add.

3
00:00:13,260 --> 00:00:20,460
Hydra is embedded in Colly, but before using it, we'd better have a look at some of the parameters.

4
00:00:22,000 --> 00:00:29,080
You can specify the username list, let's say the user dictionary with uppercase L as the parameter.

5
00:00:30,070 --> 00:00:37,210
If you'd like to find the password a valid user, you can specify a single user with lowercase L. instead.

6
00:00:38,540 --> 00:00:45,650
You can specify the password list, let's say the password dictionary with uppercase P as a parameter.

7
00:00:46,620 --> 00:00:52,680
If you find a password, for example, while dumpster diving and don't know the user, you can specify

8
00:00:52,680 --> 00:00:56,220
a single password with lowercase P as a parameter.

9
00:00:58,400 --> 00:01:05,239
If one valid username password pair is enough for us, we can use the F parameter and that makes it

10
00:01:05,239 --> 00:01:08,840
to exit when it finds a valid username password Perre.

11
00:01:10,340 --> 00:01:15,950
Now, Serbia is another required parameter of the tool which stands for the target server.

12
00:01:17,220 --> 00:01:24,000
Finally, we have to specify the service that we want to attack and some supported services are.

13
00:01:24,930 --> 00:01:32,940
And a sequel, my sequel, Oracle listener, as I say, Cisco, and the list goes on.

14
00:01:34,290 --> 00:01:40,350
So let's see how we can perform a dictionary attack on S.H. Service using Hydra.

15
00:01:41,800 --> 00:01:43,900
So we want to open a terminal screening, Colly.

16
00:01:45,280 --> 00:01:50,020
Now, I want to test a network connection first between Collee and the target system, which is one

17
00:01:50,020 --> 00:01:53,590
nine to one six eight one zero one one for me at the moment.

18
00:01:55,230 --> 00:02:01,200
Now I want to learn whether the USA service is running on the target, and to achieve this, I'm going

19
00:02:01,200 --> 00:02:02,600
to use the unmap tool.

20
00:02:03,420 --> 00:02:04,980
I know you're already a step ahead of me.

21
00:02:05,190 --> 00:02:05,760
That's good.

22
00:02:07,550 --> 00:02:11,060
The first parameter is the IP address of the target machine.

23
00:02:12,170 --> 00:02:19,190
So let's scan the most common one hundred ports, which will cover the default assess port, which is

24
00:02:19,190 --> 00:02:19,910
22.

25
00:02:21,490 --> 00:02:27,490
Now, the last parameter is to detect the versions of the services if you don't use version detection

26
00:02:27,490 --> 00:02:34,300
and map labels supports according to the default services, for example, if SSA is running on, let's

27
00:02:34,300 --> 00:02:42,100
say, Port 80 and you don't use the version detection option and map labels as service as HTTP, which

28
00:02:42,100 --> 00:02:43,600
is not correct.

29
00:02:45,800 --> 00:02:48,530
So now we've got the results in 12 seconds.

30
00:02:48,710 --> 00:02:53,780
And as you'll see, the SSA service is running on Port 20 to.

31
00:02:55,240 --> 00:02:59,920
Next up is try to establish an SS age connection to the target.

32
00:03:01,290 --> 00:03:07,470
Well, I'm feeling pretty lucky today, and I want to try for the user first, so.

33
00:03:08,830 --> 00:03:14,590
Type S.H. route at the target IPE and hit Enter.

34
00:03:16,370 --> 00:03:21,920
It's asking for the password, so we can suppose that the target system is open to connect with a route

35
00:03:21,920 --> 00:03:22,310
user.

36
00:03:23,390 --> 00:03:30,970
We don't know the password as of yet, so I'll just press control C to cancel the login period.

37
00:03:32,860 --> 00:03:39,510
OK, now, is it time to use Hydra to perform a password cracking attack on to that target machine?

38
00:03:41,200 --> 00:03:49,030
So if you type Hydra and press enter the help page appears explanation what Hydra is and here are the

39
00:03:49,030 --> 00:03:49,630
options.

40
00:03:50,600 --> 00:03:55,010
Now, these are the supported devices, including the S.H. Service.

41
00:03:56,340 --> 00:03:58,980
So let's go ahead and build the command together.

42
00:04:00,020 --> 00:04:06,560
Since we know the route user is enabled for the SSA service of the target machine, we can give a single

43
00:04:06,560 --> 00:04:11,510
user route as the username with lowercase L as the parameter.

44
00:04:12,840 --> 00:04:17,010
The uppercase P is to define the dictionary, which will be used in the attack.

45
00:04:17,950 --> 00:04:23,680
Well, we're going to need a dictionary, so let's search Colly to find one, I'll just use the Find

46
00:04:23,920 --> 00:04:25,390
Lennix command for this purpose.

47
00:04:26,450 --> 00:04:29,570
The first parameter is where it's going to start to search.

48
00:04:30,580 --> 00:04:33,530
It means that it will start searching from the root folder.

49
00:04:34,340 --> 00:04:39,440
Name means that we want to find the files according to their file names.

50
00:04:40,190 --> 00:04:44,000
Now, I want to find the files where the name starts with password.

51
00:04:45,070 --> 00:04:50,000
Star here represents that the rest of the name might be, well, anything.

52
00:04:50,740 --> 00:04:52,000
So it's OK to hit enter.

53
00:04:53,390 --> 00:04:57,590
Well, now there are a lot of files I did not expect that, did you?

54
00:04:59,740 --> 00:05:00,910
So I scroll up a bit.

55
00:05:01,700 --> 00:05:04,750
OK, here I found a folder with the name.

56
00:05:04,810 --> 00:05:09,710
Word lists, so let's go to the folder and look at those word lists.

57
00:05:14,520 --> 00:05:16,360
URLs to list the files.

58
00:05:17,250 --> 00:05:20,610
We'll look at that there are a lot of word lists for different purposes.

59
00:05:23,720 --> 00:05:30,920
Here there's a wordlist Eunuch's passwords that's not a big file, in fact, but I don't want to waste

60
00:05:30,920 --> 00:05:36,220
time while waiting to run along dictionary, so this would be enough for us to start anyway.

61
00:05:36,620 --> 00:05:41,000
And of course, I'll choose a simple password for the SSA service to succeed the attack.

62
00:05:41,720 --> 00:05:43,490
But don't tell anybody else.

63
00:05:45,380 --> 00:05:54,110
The WC Linux command is used to count letters, words and lines of a text file, the result means that

64
00:05:54,110 --> 00:06:04,670
Unix passwords file has one thousand and nine lines, one thousand and nine words and 7000 883 characters

65
00:06:04,670 --> 00:06:07,010
inside useful information.

66
00:06:08,420 --> 00:06:16,190
So let's continue to build a Hydra command, hydra, dash, l root dash, uppercase, p password file,

67
00:06:16,790 --> 00:06:18,920
UNIX passwords, dot text.

68
00:06:21,140 --> 00:06:23,810
After we exit, as soon as finding a valid credential.

69
00:06:25,200 --> 00:06:29,490
Dash Capital V is to show the login and password pairs of each attempt.

70
00:06:30,580 --> 00:06:32,990
That's used to increase the verbosity level.

71
00:06:34,960 --> 00:06:36,070
Target, IP address.

72
00:06:36,220 --> 00:06:39,150
And finally, the service to attack S.H..

73
00:06:39,850 --> 00:06:41,440
And time to run the command.

74
00:06:42,130 --> 00:06:46,060
OK, so al Shabaab, the attack by pressing the control keys.

75
00:06:46,300 --> 00:06:48,100
But please look at the first lines.

76
00:06:48,520 --> 00:06:55,450
There's a warning here which says many S.H. configurations limit the number of parallel tasks and it

77
00:06:55,450 --> 00:07:00,240
recommends is to reduce the tasks using the T4 parameter value pair.

78
00:07:00,880 --> 00:07:07,450
OK, I recall the command by pressing the up arrow and add five at the end and run the command again.

79
00:07:09,020 --> 00:07:15,440
Now it warns me that it will overwrite the restore file of the previous session if we do not abort the

80
00:07:15,440 --> 00:07:18,260
command in 10 seconds, countdown starts.

81
00:07:20,150 --> 00:07:27,440
Now, the attack started, so as you see here, Haidara pauses the attack and every fifth try.

82
00:07:29,400 --> 00:07:35,070
Now we've got the results in seconds, we found the password of the user of the SSA servers running

83
00:07:35,070 --> 00:07:39,330
on the target system, Hydra says the password is password one.

84
00:07:39,930 --> 00:07:41,040
Never seen that before.

85
00:07:53,010 --> 00:07:55,710
Now, I have an SS age connection on the target system.

86
00:07:56,030 --> 00:07:57,330
Haha, well done.