1
00:00:00,360 --> 00:00:06,480
‫Hydra is a free and open source command line tool to crack valid login password pairs online.

2
00:00:06,960 --> 00:00:10,860
‫It's very fast and flexible, and new modules are easy to add.

3
00:00:11,370 --> 00:00:13,830
‫Hydra is embedded in karwai.

4
00:00:14,730 --> 00:00:18,090
‫But before using it, we'd better see some of its parameters.

5
00:00:19,130 --> 00:00:21,020
‫You can specify the username list.

6
00:00:21,500 --> 00:00:26,150
‫Let's say the user directory with uppercase L parameter.

7
00:00:26,870 --> 00:00:32,660
‫If you'd like to find the password of a valid user, you can specify a single user with lowercase L

8
00:00:32,660 --> 00:00:33,680
‫parameter instead.

9
00:00:34,610 --> 00:00:37,160
‫You can also specify the password list.

10
00:00:37,640 --> 00:00:42,680
‫Let's call it the password dictionary with uppercase p parameter.

11
00:00:43,520 --> 00:00:49,700
‫If you find a password, for example, while dumpster diving and don't know the user, you can specify

12
00:00:49,700 --> 00:00:52,250
‫a single password with lowercase p.

13
00:00:53,370 --> 00:01:00,090
‫If one valid username and password pair is enough for us, we can use the f parameter and that makes

14
00:01:00,090 --> 00:01:03,750
‫a tool exit when it finds a valid username, password pair.

15
00:01:04,880 --> 00:01:09,890
‫Server is another required parameter of the tool, which stands for the target server.

16
00:01:11,060 --> 00:01:14,930
‫And finally, we have to specify the service that we want to attack.

17
00:01:15,650 --> 00:01:28,190
‫Some supported services are HTTP Post Form, HTTPS Post Form, HTP, Get Form https get form http proxy

18
00:01:28,760 --> 00:01:36,200
‫MySQL Will My SQL Oracle Listener, S.H., Cisco, etc..

19
00:01:37,420 --> 00:01:41,500
‫Every protocol has its own unique options to set.

20
00:01:42,710 --> 00:01:47,540
‫We'll see the options for HTP post form in the following demonstration.

21
00:01:50,310 --> 00:01:53,430
‫So now I'll go to Carly and run a Web browser.

22
00:01:54,390 --> 00:01:59,730
‫Do you remember OWASP broken web applications abbreviated BW, a server?

23
00:02:00,570 --> 00:02:04,320
‫Well, it's on my network with the IP number of one three nine.

24
00:02:06,030 --> 00:02:10,230
‫Right in the IP address, in the address bar of the browser and hit Enter.

25
00:02:10,890 --> 00:02:13,630
‫Now here's the home page of the OWASP BW.

26
00:02:14,640 --> 00:02:18,600
‫A scroll down a bit and click Dam Vulnerable Web Application Link.

27
00:02:19,990 --> 00:02:24,040
‫Now we arrived at a login page that asks for the username and the password.

28
00:02:24,760 --> 00:02:31,840
‫Now we don't know any credential and we'll try to find a valid username, password pair by online password

29
00:02:31,840 --> 00:02:32,650
‫cracking attack.

30
00:02:33,970 --> 00:02:41,380
‫So open a terminal screen, HYDRA is embedded in Cali, so you can start to use it simply by typing

31
00:02:41,380 --> 00:02:41,920
‫its name.

32
00:02:42,370 --> 00:02:46,540
‫If you type Hydra with no parameter, the help page appears.

33
00:02:47,640 --> 00:02:50,970
‫Here is the list of options and supported services.

34
00:02:52,250 --> 00:02:54,500
‫So let's start to build her attack.

35
00:02:55,730 --> 00:02:59,750
‫L is the first parameter to keep the attack simple and fast.

36
00:03:00,230 --> 00:03:07,610
‫I suppose that will know a valid user, which is going to probably be admin, so I'll use the lowercase

37
00:03:07,610 --> 00:03:08,420
‫L parameter.

38
00:03:09,380 --> 00:03:13,670
‫Now we specify the password dictionary with uppercase p.

39
00:03:15,150 --> 00:03:17,550
‫Well, there are some dictionaries in Cali.

40
00:03:17,580 --> 00:03:20,610
‫Let me find them, and I'll use one.

41
00:03:21,060 --> 00:03:27,510
‫So I open a new terminal screen and search for the dictionaries using the Find Linux command.

42
00:03:28,540 --> 00:03:32,920
‫So I'm looking for the files that start with pass and have.

43
00:03:33,930 --> 00:03:35,820
‫That LSD extension.

44
00:03:37,210 --> 00:03:38,140
‫I found a few.

45
00:03:38,710 --> 00:03:42,670
‫So let's look at the contents of one of them using the less Linux command.

46
00:03:43,710 --> 00:03:49,350
‫You can search a phrase with forward slash indicator within the last command.

47
00:03:49,920 --> 00:03:54,330
‫So I look for admin if the word exists in the dictionary.

48
00:03:55,410 --> 00:04:02,700
‫Well, because I know the password of the admin user is admin and I want to show you a successful attack.

49
00:04:11,760 --> 00:04:15,890
‫OK, now this is the target server, OWASP, BWR.

50
00:04:15,930 --> 00:04:16,650
‫One, three nine.

51
00:04:17,670 --> 00:04:20,310
‫I have to specify the service we attack.

52
00:04:21,030 --> 00:04:24,510
‫So to learn the service, let's go to the browser again.

53
00:04:25,070 --> 00:04:27,810
‫But before trying to log in, I run Burp Suite.

54
00:04:28,850 --> 00:04:36,080
‫Now, I think I should tell you a little bit about Burp Suite Roof Suite is used in web application

55
00:04:36,080 --> 00:04:42,920
‫penetration test, and I've explained and used it extensively in hacking web applications and penetration

56
00:04:42,920 --> 00:04:43,490
‫testing.

57
00:04:44,060 --> 00:04:49,970
‫That's the course that fully lays it out in detail, but I'll just give you a little introduction to

58
00:04:49,970 --> 00:04:51,710
‫it now if you haven't done that course.

59
00:04:54,010 --> 00:04:57,970
‫Burp Suite is a Web application penetration testing framework.

60
00:04:58,690 --> 00:05:04,540
‫It has become an industry standard suite of tools used by information security professionals to identify

61
00:05:04,540 --> 00:05:09,220
‫vulnerabilities and verify attack vectors for web based applications.

62
00:05:10,510 --> 00:05:18,070
‫I suppose in its simplest form, burps, we can be classified as a personal proxy or interception proxy.

63
00:05:19,000 --> 00:05:24,760
‫A penetration tester configures their internet browser to route traffic through the proxy, which then

64
00:05:24,760 --> 00:05:31,840
‫acts as a sort of man in the middle by capturing and analyzing each request and response to and from

65
00:05:31,840 --> 00:05:32,950
‫the target web app.

66
00:05:34,320 --> 00:05:42,600
‫Individual HTTP requests can be paused, manipulated and replayed back to the Web server for targeted

67
00:05:42,600 --> 00:05:46,160
‫analysis of parameter specific injection points.

68
00:05:47,160 --> 00:05:54,030
‫The injection points can be then specified for manual, as well as automated fuzzing attacks to discover

69
00:05:54,240 --> 00:05:59,790
‫potentially unintended application behaviors, crashes and error messages.

70
00:06:00,690 --> 00:06:01,350
‫You got all that.

71
00:06:02,940 --> 00:06:06,720
‫So now we can continue to the online tracking session with Hydra.

72
00:06:08,790 --> 00:06:10,950
‫Burp Suite is started.

73
00:06:11,950 --> 00:06:17,590
‫We have to route traffic through Burp Suite to be able to listen to the requests and responses and analyze

74
00:06:17,590 --> 00:06:17,710
‫them.

75
00:06:18,790 --> 00:06:25,960
‫So to do this, we should change the proxy settings of the browser to listen to the poor 83 of the local

76
00:06:25,960 --> 00:06:26,380
‫host.

77
00:06:27,250 --> 00:06:30,430
‫You can change the proxy of the browser from the Preferences menu.

78
00:06:31,300 --> 00:06:37,330
‫I just use Foxy Proxy to plug in to change the proxy of the browser easily.

79
00:06:37,900 --> 00:06:40,930
‫This little fox icon is foxy proxy.

80
00:06:40,930 --> 00:06:41,710
‫I'll click on it.

81
00:06:42,160 --> 00:06:46,690
‫And here there's proxy settings for the Port 80 80 of the local host.

82
00:06:48,710 --> 00:06:53,480
‫Now you can use a proxy from your browser's network setting, as seen in the picture here.

83
00:06:56,070 --> 00:07:03,750
‫So I'll choose the proxy local host area, and now my browser's traffic is routed through the Burp Suite.

84
00:07:04,660 --> 00:07:06,850
‫So now I'll make a login attempt.

85
00:07:11,810 --> 00:07:14,120
‫So intercepted the log in request.

86
00:07:14,450 --> 00:07:17,600
‫It's a post, so we find the service to attack.

87
00:07:18,720 --> 00:07:23,520
‫Back to the HYDRA query, the next parameter is HTTP post form.

88
00:07:25,080 --> 00:07:31,500
‫Now is the most critical part of building a HYDRA attack, setting the options of the service.

89
00:07:32,470 --> 00:07:39,160
‫There are three parts of the options of the service HTTP post form separated by the call and character.

90
00:07:40,300 --> 00:07:43,120
‫The first part is the address of the authentication form.

91
00:07:53,660 --> 00:07:57,710
‫The second part is the form parameters, and here they are.

92
00:07:58,520 --> 00:08:02,360
‫I'll copy them and paste them as the second part of the service options.

93
00:08:03,170 --> 00:08:04,550
‫Now this is an important point.

94
00:08:04,550 --> 00:08:12,170
‫Again, the place that the passwords will be set for online cracking attacks are labeled as paths between

95
00:08:12,170 --> 00:08:14,390
‫two carried signs.

96
00:08:15,470 --> 00:08:22,610
‫Same as a password field, the place of the username is signed as user between two correct characters

97
00:08:22,640 --> 00:08:23,240
‫as well.

98
00:08:24,440 --> 00:08:30,920
‫The third part of the service option is a unique part from the response message of a failed login attempt.

99
00:08:36,570 --> 00:08:37,530
‫So I go to the browser.

100
00:08:38,070 --> 00:08:43,590
‫Copy the login failed message and paste that as a third part of the option.

101
00:08:45,020 --> 00:08:46,790
‫I think the service options are ready.

102
00:08:47,920 --> 00:08:54,190
‫So at last, I put a f parameter to make the tool exit when it finds a valid credential.

103
00:08:54,940 --> 00:08:56,530
‫So we're ready to run the command now.

104
00:08:56,890 --> 00:09:01,180
‫Just hit enter an online password cracking attack start.

105
00:09:02,700 --> 00:09:04,590
‫Now we'll wait as much as it takes.

106
00:09:05,040 --> 00:09:07,230
‫It reports every minute.

107
00:09:08,670 --> 00:09:14,040
‫And this is the first business report, 933 tries per minute, that's pretty good.

108
00:09:14,790 --> 00:09:18,870
‫And it says it has 2000 626 tries to do.

109
00:09:34,830 --> 00:09:37,470
‫Now here it found a valid username, password, pair.

110
00:09:37,830 --> 00:09:43,080
‫Just after the second minutes report, the username was already fixed admin.

111
00:09:43,500 --> 00:09:46,350
‫And it found that the password is admin for the user.

112
00:09:47,040 --> 00:09:51,810
‫And since we use the F parameter, it stopped working as soon as it found a valid credential.

113
00:09:52,680 --> 00:09:59,490
‫Now we can go to the app and enter admin for the username and again admin for the password to log in.