diff --git a/CHANGES b/CHANGES index dba24ce..8a1786a 100644 --- a/CHANGES +++ b/CHANGES @@ -3,6 +3,7 @@ Changelog for hydra Release 8.7-dev +* New web page: https://github.com/vanhauser-thc/thc-hydra * http-get/http-post: - now supports H=/h= parameters same as http-form (thanks to mathewmarcus@github for the patch) - 403/404 errors are now always registered as failed attempts diff --git a/README b/README index b661a7e..c089c2e 100644 --- a/README +++ b/README @@ -2,7 +2,7 @@ H Y D R A (c) 2001-2018 by van Hauser / THC - http://www.thc.org + https://github.com/vanhauser-thc/thc-hydra many modules were written by David (dot) Maciejak @ gmail (dot) com BFG code by Jan Dlabal @@ -49,7 +49,7 @@ Your help in writing, enhancing or fixing modules is highly appreciated!! :-) WHERE TO GET ------------ You can always find the newest release/production version of hydra at its -project page at https://www.thc.org/thc-hydra +project page at https://github.com/vanhauser-thc/thc-hydra/releases If you are interested in the current development state, the public development repository is at Github: svn co https://github.com/vanhauser-thc/thc-hydra @@ -377,7 +377,7 @@ Version 1.00 example: "These are very free form" ], "generator": { - "built": "2018-01-01 14:44:22", + "built": "2018-03-01 14:44:22", "commandline": "hydra -b jsonv1 -o results.json ... ...", "jsonoutputversion": "1.00", "server": "127.0.0.1", diff --git a/README.md b/README.md index c5c0dfb..c089c2e 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ H Y D R A (c) 2001-2018 by van Hauser / THC - http://www.thc.org + https://github.com/vanhauser-thc/thc-hydra many modules were written by David (dot) Maciejak @ gmail (dot) com BFG code by Jan Dlabal @@ -49,7 +49,7 @@ Your help in writing, enhancing or fixing modules is highly appreciated!! :-) WHERE TO GET ------------ You can always find the newest release/production version of hydra at its -project page at https://www.thc.org/thc-hydra +project page at https://github.com/vanhauser-thc/thc-hydra/releases If you are interested in the current development state, the public development repository is at Github: svn co https://github.com/vanhauser-thc/thc-hydra diff --git a/hydra-pcnfs.c b/hydra-pcnfs.c index fed02dd..dc9e41a 100644 --- a/hydra-pcnfs.c +++ b/hydra-pcnfs.c @@ -66,7 +66,7 @@ int32_t start_pcnfs(int32_t s, char *ip, int32_t port, unsigned char options, ch prh->len_passwd = htonl(63); prh->len_comments = htonl(254); - strcpy(prh->comments, " Hydra - THC password cracker - visit http://www.thc.org - use only allowed for legal purposes "); + strcpy(prh->comments, " Hydra - THC password cracker - visit https://github.com/vanhauser-thc/thc-hydra - use only allowed for legal purposes "); strcpy(prh->name, "localhost"); ptr = prh->id; diff --git a/hydra.c b/hydra.c index 6746d68..53e1ff7 100644 --- a/hydra.c +++ b/hydra.c @@ -1,6 +1,6 @@ /* * hydra (c) 2001-2018 by van Hauser / THC - * http://www.thc.org + * https://github.com/vanhauser-thc/thc-hydra * * Parallized network login hacker. * Don't use in military or secret service organizations, or for illegal purposes. @@ -207,7 +207,7 @@ char *SERVICES = #define VERSION "v8.7-dev" #define AUTHOR "van Hauser/THC" #define EMAIL "" -#define RESOURCE "http://www.thc.org/thc-hydra" +#define RESOURCE "https://github.com/vanhauser-thc/thc-hydra" extern char *hydra_strcasestr(const char *haystack, const char *needle); extern void hydra_tobase64(unsigned char *buf, int32_t buflen, int32_t bufsize); diff --git a/pw-inspector.c b/pw-inspector.c index 9b5a2f9..86eb352 100644 --- a/pw-inspector.c +++ b/pw-inspector.c @@ -8,7 +8,7 @@ #define PROGRAM "PW-Inspector" #define VERSION "v0.2" #define EMAIL "vh@thc.org" -#define WEB "http://www.thc.org" +#define WEB "https://github.com/vanhauser-thc/thc-hydra" #define MAXLENGTH 256 diff --git a/web/CHANGES b/web/CHANGES index 3ae374b..8a1786a 100644 --- a/web/CHANGES +++ b/web/CHANGES @@ -1,7 +1,22 @@ Changelog for hydra ------------------- -Release 8.6-dev + +Release 8.7-dev +* New web page: https://github.com/vanhauser-thc/thc-hydra +* http-get/http-post: + - now supports H=/h= parameters same as http-form (thanks to mathewmarcus@github for the patch) + - 403/404 errors are now always registered as failed attempts +* mysql module: a non-default port was not working, fixed +* added -w timeout support to ssh module +* fixed various memory leaks in http-form module +* corrected hydra return code to be 0 on success +* added patch from debian maintainers which fixes spellings +* fixed weird crash on x64 systems +* many warning fixes by crondaemon + + +Release 8.6 * added radmin2 module by catatonic prime - great work! * smb module now checks if SMBv1 is supported by the server and if signing is required * http-form module now supports URLs up to 6000 bytes (thanks to petrock6@github for the patch) diff --git a/web/README b/web/README index 072175a..b76c4c4 100644 --- a/web/README +++ b/web/README @@ -1,8 +1,8 @@ H Y D R A - (c) 2001-2017 by van Hauser / THC - http://www.thc.org + (c) 2001-2018 by van Hauser / THC + https://github.com/vanhauser-thc/thc-hydra many modules were written by David (dot) Maciejak @ gmail (dot) com BFG code by Jan Dlabal @@ -49,7 +49,7 @@ Your help in writing, enhancing or fixing modules is highly appreciated!! :-) WHERE TO GET ------------ You can always find the newest release/production version of hydra at its -project page at https://www.thc.org/thc-hydra +project page at https://github.com/vanhauser-thc/thc-hydra/releases If you are interested in the current development state, the public development repository is at Github: svn co https://github.com/vanhauser-thc/thc-hydra @@ -64,19 +64,25 @@ HOW TO COMPILE -------------- To configure, compile and install hydra, just type: +``` ./configure make make install +``` If you want the ssh module, you have to setup libssh (not libssh2!) on your system, get it from http://www.libssh.org, for ssh v1 support you also need to add "-DWITH_SSH1=On" option in the cmake command line. If you use Ubuntu/Debian, this will install supplementary libraries needed -for a few optional modules: - apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ +for a few optional modules (note that some might not be available on your distribution): + +``` +apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ - firebird2.1-dev libncp-dev + firebird-dev libncp-dev +``` + This enables all optional modules and features with the exception of Oracle, SAP R/3 and the apple filing protocol - which you will need to download and install from the vendor's web sites. @@ -90,31 +96,34 @@ and compile them manually. SUPPORTED PLATFORMS ------------------- -All UNIX platforms (linux, *bsd, solaris, etc.) -MacOS -Windows with Cygwin (both IPv4 and IPv6) -Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) +- All UNIX platforms (Linux, *bsd, Solaris, etc.) +- MacOS (basically a BSD clone) +- Windows with Cygwin (both IPv4 and IPv6) +- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) HOW TO USE ---------- -If you just enter "hydra", you will see a short summary of the important +If you just enter `hydra`, you will see a short summary of the important options available. -Type "./hydra -h" to see all available command line options. +Type `./hydra -h` to see all available command line options. Note that NO login/password file is included. Generate them yourself. A default password list is however present, use "dpl4hydra.sh" to generate a list. -For Linux users, a GTK gui is available, try "./xhydra" +For Linux users, a GTK gui is available, try `./xhydra` For the command line usage, the syntax is as follows: For attacking one target or a network, you can use the new "://" style: - hydra [some command line options] PROTOCOL://TARGET:PORT/OPTIONS + hydra [some command line options] PROTOCOL://TARGET:PORT/MODULE-OPTIONS The old mode can be used for these too, and additionally if you want to specify your targets from a text file, you *must* use this one: - hydra [some command line options] [-s port] TARGET PROTOCOL OPTIONS + +``` +hydra [some command line options] [-s PORT] TARGET PROTOCOL [MODULE-OPTIONS] +``` Via the command line options you specify which logins to try, which passwords, if SSL should be used, how many parallel tasks to use for attacking, etc. @@ -122,7 +131,7 @@ if SSL should be used, how many parallel tasks to use for attacking, etc. PROTOCOL is the protocol you want to use for attacking, e.g. ftp, smtp, http-get or many others are available TARGET is the target you want to attack -OPTIONS are optional values which are special per PROTOCOL module +MODULE-OPTIONS are optional values which are special per PROTOCOL module FIRST - select your target you have three options on how to specify the target you want to attack: @@ -147,7 +156,7 @@ FOURTH - the destination port If you use "://" notation, you must use "[" "]" brackets if you want to supply IPv6 addresses or CIDR ("192.168.0.0/24") notations to attack: hydra [some command line options] ftp://[192.168.0.0/24]/ - hydra [some command line options] -6 smtp://[2001:db8::1]/NTLM + hydra [some command line options] -6 smtps://[2001:db8::1]/NTLM Note that everything hydra does is IPv4 only! If you want to attack IPv6 addresses, you must add the "-6" command line option. @@ -158,22 +167,27 @@ notation but use the old style and just supply the protocol (and module options) hydra [some command line options] -M targets.txt ftp You can supply also port for each target entry by adding ":" after a target entry in the file, e.g.: - foo.bar.com - target.com:21 - unusual.port.com:2121 - default.used.here.com - 127.0.0.1 - 127.0.0.1:2121 + +``` +foo.bar.com +target.com:21 +unusual.port.com:2121 +default.used.here.com +127.0.0.1 +127.0.0.1:2121 +``` Note that if you want to attach IPv6 targets, you must supply the -6 option and *must* put IPv6 addresses in brackets in the file(!) like this: - foo.bar.com - target.com:21 - [fe80::1%eth0] - [2001::1] - [2002::2]:8080 - [2a01:24a:133:0:00:123:ff:1a] +``` +foo.bar.com +target.com:21 +[fe80::1%eth0] +[2001::1] +[2002::2]:8080 +[2a01:24a:133:0:00:123:ff:1a] +``` LOGINS AND PASSWORDS -------------------- @@ -182,45 +196,68 @@ With -l for login and -p for password you tell hydra that this is the only login and/or password to try. With -L for logins and -P for passwords you supply text files with entries. e.g.: - hydra -l admin -p password ftp://localhost/ - hydra -L default_logins.txt -p test ftp://localhost/ - hydra -l admin -P common_passwords.txt ftp://localhost/ - hydra -L logins.txt -P passwords.txt ftp://localhost/ + +``` +hydra -l admin -p password ftp://localhost/ +hydra -L default_logins.txt -p test ftp://localhost/ +hydra -l admin -P common_passwords.txt ftp://localhost/ +hydra -L logins.txt -P passwords.txt ftp://localhost/ +``` + Additionally, you can try passwords based on the login via the "-e" option. The "-e" option has three parameters: - s - try the login as password - n - try an empty password - r - reverse the login and try it as password + +``` +s - try the login as password +n - try an empty password +r - reverse the login and try it as password +``` + If you want to, e.g. try "try login as password and "empty password", you specify "-e sn" on the command line. - But there are two more modes for trying passwords than -p/-P: You can use text file which where a login and password pair is separated by a colon, e.g.: - admin:password - test:test - foo:bar + +``` +admin:password +test:test +foo:bar +``` + This is a common default account style listing, that is also generated by the dpl4hydra.sh default account file generator supplied with hydra. You use such a text file with the -C option - note that in this mode you can not use -l/-L/-p/-P options (-e nsr however you can). Example: - hydra -C default_accounts.txt ftp://localhost/ + +``` +hydra -C default_accounts.txt ftp://localhost/ +``` And finally, there is a bruteforce mode with the -x option (which you can not use with -p/-P/-C): - -x minimum_length:maximum_length:charset -the charset definition is 'a' for lowercase letters, 'A' for uppercase letters, -'1' for numbers and for anything else you supply it is their real representation. + +``` +-x minimum_length:maximum_length:charset +``` + +the charset definition is `a` for lowercase letters, `A` for uppercase letters, +`1` for numbers and for anything else you supply it is their real representation. Examples: - -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters - -x 2:5:/ generate passwords from length 2 to 5 containing only slashes - -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers + +``` +-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters +-x 2:5:/ generate passwords from length 2 to 5 containing only slashes +-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers +``` + Example: - hydra -l ftp -x 3:3:a ftp://localhost/ - +``` +hydra -l ftp -x 3:3:a ftp://localhost/ +``` SPECIAL OPTIONS FOR MODULES --------------------------- @@ -229,19 +266,23 @@ command line option, you can pass one option to a module. Many modules use this, a few require it! To see the special option of a module, type: + hydra -U + e.g. + ./hydra -U http-post-form The special options can be passed via the -m parameter, as 3rd command line option or in the service://target/option format. Examples (they are all equal): - ./hydra -l test -p test -m PLAIN 127.0.0.1 imap - ./hydra -l test -p test 127.0.0.1 imap PLAIN - ./hydra -l test -p test imap://127.0.0.1/PLAIN - +``` +./hydra -l test -p test -m PLAIN 127.0.0.1 imap +./hydra -l test -p test 127.0.0.1 imap PLAIN +./hydra -l test -p test imap://127.0.0.1/PLAIN +``` RESTORING AN ABORTED/CRASHED SESSION ------------------------------------ @@ -251,28 +292,35 @@ restore the session. This session file is written every 5 minutes. NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. from little endian to big endian, or from solaris to aix) - - HOW TO SCAN/CRACK OVER A PROXY ------------------------------ The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works just for the http services!). The following syntax is valid: - HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" - HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" - HYDRA_PROXY_HTTP="proxylist.txt" + +``` +HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" +HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" +HYDRA_PROXY_HTTP="proxylist.txt" +``` + The last example is a text file containing up to 64 proxies (in the same format definition as the other examples). For all other services, use the HYDRA_PROXY variable to scan/crack. It uses the same syntax. eg: - HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port + +``` +HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port +``` + for example: - HYDRA_PROXY=connect://proxy.anonymizer.com:8000 - HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 - HYDRA_PROXY=socksproxylist.txt - +``` +HYDRA_PROXY=connect://proxy.anonymizer.com:8000 +HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 +HYDRA_PROXY=socksproxylist.txt +``` ADDITIONAL HINTS ---------------- @@ -293,6 +341,7 @@ RESULTS OUTPUT The results are output to stdio along with the other information. Via the -o command line option, the results can also be written to a file. Using -b, the format of the output can be specified. Currently, these are supported: + * `text` - plain text format * `jsonv1` - JSON data using version 1.x of the schema (defined below). * `json` - JSON data using the latest version of the schema, currently there @@ -302,7 +351,8 @@ If using JSON output, the results file may not be valid JSON if there are serious errors in booting Hydra. -### JSON Schema +JSON Schema +----------- Here is an example of the JSON output. Notes on some of the fields: * `errormessages` - an array of zero or more strings that are normally printed @@ -327,7 +377,7 @@ Version 1.00 example: "These are very free form" ], "generator": { - "built": "2017-03-01 14:44:22", + "built": "2018-01-01 14:44:22", "commandline": "hydra -b jsonv1 -o results.json ... ...", "jsonoutputversion": "1.00", "server": "127.0.0.1", @@ -373,6 +423,7 @@ Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing 295 entries (294 tries invalid logins, 1 valid). Every test was run three times (only for "1 task" just once), and the average noted down. +``` P A R A L L E L T A S K S SERVICE 1 4 8 16 32 50 64 100 128 ------- -------------------------------------------------------------------- @@ -380,6 +431,7 @@ telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 +``` (*) Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with @@ -387,10 +439,12 @@ Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with The reason for this is unknown... guesses per task (rounded up): - 295 74 38 19 10 6 5 3 3 + + 295 74 38 19 10 6 5 3 3 guesses possible per connect (depends on the server software and config): - telnet 4 + + telnet 4 ftp 6 pop3 1 imap 3 @@ -406,6 +460,7 @@ vh@thc.org (and put "antispam" in the subject line) You should use PGP to encrypt emails to vh@thc.org : +``` -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v3.3.3 (vh@thc.org) @@ -471,3 +526,4 @@ zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni zB3yrr+vYBT0uDWmxwPjiJs= =ytEf -----END PGP PUBLIC KEY BLOCK----- +``` \ No newline at end of file