From a6d35e11bc9b0fe48f82a6a9119d5bd56655f7c7 Mon Sep 17 00:00:00 2001 From: Dario Lombardo Date: Thu, 17 Aug 2017 23:02:35 +0200 Subject: [PATCH] Change REAME to README.md. --- README => README.md | 172 +++++++++++++++++++++++++++++--------------- 1 file changed, 114 insertions(+), 58 deletions(-) rename README => README.md (88%) diff --git a/README b/README.md similarity index 88% rename from README rename to README.md index 072175a..b5e1c8e 100644 --- a/README +++ b/README.md @@ -64,9 +64,11 @@ HOW TO COMPILE -------------- To configure, compile and install hydra, just type: +``` ./configure make make install +``` If you want the ssh module, you have to setup libssh (not libssh2!) on your system, get it from http://www.libssh.org, for ssh v1 support you also need @@ -74,9 +76,13 @@ to add "-DWITH_SSH1=On" option in the cmake command line. If you use Ubuntu/Debian, this will install supplementary libraries needed for a few optional modules: - apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ + +``` +apt-get install libssl-dev libssh-dev libidn11-dev libpcre3-dev \ libgtk2.0-dev libmysqlclient-dev libpq-dev libsvn-dev \ firebird2.1-dev libncp-dev +``` + This enables all optional modules and features with the exception of Oracle, SAP R/3 and the apple filing protocol - which you will need to download and install from the vendor's web sites. @@ -90,31 +96,34 @@ and compile them manually. SUPPORTED PLATFORMS ------------------- -All UNIX platforms (linux, *bsd, solaris, etc.) -MacOS -Windows with Cygwin (both IPv4 and IPv6) -Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) +- All UNIX platforms (linux, *bsd, solaris, etc.) +- MacOS +- Windows with Cygwin (both IPv4 and IPv6) +- Mobile systems based on Linux, MacOS or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq) HOW TO USE ---------- -If you just enter "hydra", you will see a short summary of the important +If you just enter `hydra`, you will see a short summary of the important options available. -Type "./hydra -h" to see all available command line options. +Type `./hydra -h` to see all available command line options. Note that NO login/password file is included. Generate them yourself. A default password list is however present, use "dpl4hydra.sh" to generate a list. -For Linux users, a GTK gui is available, try "./xhydra" +For Linux users, a GTK gui is available, try `./xhydra` For the command line usage, the syntax is as follows: For attacking one target or a network, you can use the new "://" style: hydra [some command line options] PROTOCOL://TARGET:PORT/OPTIONS The old mode can be used for these too, and additionally if you want to specify your targets from a text file, you *must* use this one: - hydra [some command line options] [-s port] TARGET PROTOCOL OPTIONS + +``` +hydra [some command line options] [-s port] TARGET PROTOCOL OPTIONS +``` Via the command line options you specify which logins to try, which passwords, if SSL should be used, how many parallel tasks to use for attacking, etc. @@ -158,22 +167,27 @@ notation but use the old style and just supply the protocol (and module options) hydra [some command line options] -M targets.txt ftp You can supply also port for each target entry by adding ":" after a target entry in the file, e.g.: - foo.bar.com - target.com:21 - unusual.port.com:2121 - default.used.here.com - 127.0.0.1 - 127.0.0.1:2121 + +``` +foo.bar.com +target.com:21 +unusual.port.com:2121 +default.used.here.com +127.0.0.1 +127.0.0.1:2121 +``` Note that if you want to attach IPv6 targets, you must supply the -6 option and *must* put IPv6 addresses in brackets in the file(!) like this: - foo.bar.com - target.com:21 - [fe80::1%eth0] - [2001::1] - [2002::2]:8080 - [2a01:24a:133:0:00:123:ff:1a] +``` +foo.bar.com +target.com:21 +[fe80::1%eth0] +[2001::1] +[2002::2]:8080 +[2a01:24a:133:0:00:123:ff:1a] +``` LOGINS AND PASSWORDS -------------------- @@ -182,45 +196,68 @@ With -l for login and -p for password you tell hydra that this is the only login and/or password to try. With -L for logins and -P for passwords you supply text files with entries. e.g.: - hydra -l admin -p password ftp://localhost/ - hydra -L default_logins.txt -p test ftp://localhost/ - hydra -l admin -P common_passwords.txt ftp://localhost/ - hydra -L logins.txt -P passwords.txt ftp://localhost/ + +``` +hydra -l admin -p password ftp://localhost/ +hydra -L default_logins.txt -p test ftp://localhost/ +hydra -l admin -P common_passwords.txt ftp://localhost/ +hydra -L logins.txt -P passwords.txt ftp://localhost/ +``` + Additionally, you can try passwords based on the login via the "-e" option. The "-e" option has three parameters: - s - try the login as password - n - try an empty password - r - reverse the login and try it as password + +``` +s - try the login as password +n - try an empty password +r - reverse the login and try it as password +``` + If you want to, e.g. try "try login as password and "empty password", you specify "-e sn" on the command line. - But there are two more modes for trying passwords than -p/-P: You can use text file which where a login and password pair is separated by a colon, e.g.: - admin:password - test:test - foo:bar + +``` +admin:password +test:test +foo:bar +``` + This is a common default account style listing, that is also generated by the dpl4hydra.sh default account file generator supplied with hydra. You use such a text file with the -C option - note that in this mode you can not use -l/-L/-p/-P options (-e nsr however you can). Example: - hydra -C default_accounts.txt ftp://localhost/ + +``` +hydra -C default_accounts.txt ftp://localhost/ +``` And finally, there is a bruteforce mode with the -x option (which you can not use with -p/-P/-C): - -x minimum_length:maximum_length:charset -the charset definition is 'a' for lowercase letters, 'A' for uppercase letters, -'1' for numbers and for anything else you supply it is their real representation. + +``` +-x minimum_length:maximum_length:charset +``` + +the charset definition is `a` for lowercase letters, `A` for uppercase letters, +`1` for numbers and for anything else you supply it is their real representation. Examples: - -x 1:3:a generate passwords from length 1 to 3 with all lowercase letters - -x 2:5:/ generate passwords from length 2 to 5 containing only slashes - -x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers + +``` +-x 1:3:a generate passwords from length 1 to 3 with all lowercase letters +-x 2:5:/ generate passwords from length 2 to 5 containing only slashes +-x 5:8:A1 generate passwords from length 5 to 8 with uppercase and numbers +``` + Example: - hydra -l ftp -x 3:3:a ftp://localhost/ - +``` +hydra -l ftp -x 3:3:a ftp://localhost/ +``` SPECIAL OPTIONS FOR MODULES --------------------------- @@ -229,19 +266,23 @@ command line option, you can pass one option to a module. Many modules use this, a few require it! To see the special option of a module, type: + hydra -U + e.g. + ./hydra -U http-post-form The special options can be passed via the -m parameter, as 3rd command line option or in the service://target/option format. Examples (they are all equal): - ./hydra -l test -p test -m PLAIN 127.0.0.1 imap - ./hydra -l test -p test 127.0.0.1 imap PLAIN - ./hydra -l test -p test imap://127.0.0.1/PLAIN - +``` +./hydra -l test -p test -m PLAIN 127.0.0.1 imap +./hydra -l test -p test 127.0.0.1 imap PLAIN +./hydra -l test -p test imap://127.0.0.1/PLAIN +``` RESTORING AN ABORTED/CRASHED SESSION ------------------------------------ @@ -251,28 +292,35 @@ restore the session. This session file is written every 5 minutes. NOTE: the hydra.restore file can NOT be copied to a different platform (e.g. from little endian to big endian, or from solaris to aix) - - HOW TO SCAN/CRACK OVER A PROXY ------------------------------ The environment variable HYDRA_PROXY_HTTP defines the web proxy (this works just for the http services!). The following syntax is valid: - HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" - HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" - HYDRA_PROXY_HTTP="proxylist.txt" + +``` +HYDRA_PROXY_HTTP="http://123.45.67.89:8080/" +HYDRA_PROXY_HTTP="http://login:password@123.45.67.89:8080/" +HYDRA_PROXY_HTTP="proxylist.txt" +``` + The last example is a text file containing up to 64 proxies (in the same format definition as the other examples). For all other services, use the HYDRA_PROXY variable to scan/crack. It uses the same syntax. eg: - HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port + +``` +HYDRA_PROXY=[connect|socks4|socks5]://[login:password@]proxy_addr:proxy_port +``` + for example: - HYDRA_PROXY=connect://proxy.anonymizer.com:8000 - HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 - HYDRA_PROXY=socksproxylist.txt - +``` +HYDRA_PROXY=connect://proxy.anonymizer.com:8000 +HYDRA_PROXY=socks4://auth:pw@127.0.0.1:1080 +HYDRA_PROXY=socksproxylist.txt +``` ADDITIONAL HINTS ---------------- @@ -293,6 +341,7 @@ RESULTS OUTPUT The results are output to stdio along with the other information. Via the -o command line option, the results can also be written to a file. Using -b, the format of the output can be specified. Currently, these are supported: + * `text` - plain text format * `jsonv1` - JSON data using version 1.x of the schema (defined below). * `json` - JSON data using the latest version of the schema, currently there @@ -302,7 +351,8 @@ If using JSON output, the results file may not be valid JSON if there are serious errors in booting Hydra. -### JSON Schema +JSON Schema +----------- Here is an example of the JSON output. Notes on some of the fields: * `errormessages` - an array of zero or more strings that are normally printed @@ -373,6 +423,7 @@ Run against a SuSE Linux 7.2 on localhost with a "-C FILE" containing 295 entries (294 tries invalid logins, 1 valid). Every test was run three times (only for "1 task" just once), and the average noted down. +``` P A R A L L E L T A S K S SERVICE 1 4 8 16 32 50 64 100 128 ------- -------------------------------------------------------------------- @@ -380,6 +431,7 @@ telnet 23:20 5:58 2:58 1:34 1:05 0:33 0:45* 0:25* 0:55* ftp 45:54 11:51 5:54 3:06 1:25 0:58 0:46 0:29 0:32 pop3 92:10 27:16 13:56 6:42 2:55 1:57 1:24 1:14 0:50 imap 31:05 7:41 3:51 1:58 1:01 0:39 0:32 0:25 0:21 +``` (*) Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with @@ -387,10 +439,12 @@ Note: telnet timings can be VERY different for 64 to 128 tasks! e.g. with The reason for this is unknown... guesses per task (rounded up): - 295 74 38 19 10 6 5 3 3 + + 295 74 38 19 10 6 5 3 3 guesses possible per connect (depends on the server software and config): - telnet 4 + + telnet 4 ftp 6 pop3 1 imap 3 @@ -406,6 +460,7 @@ vh@thc.org (and put "antispam" in the subject line) You should use PGP to encrypt emails to vh@thc.org : +``` -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v3.3.3 (vh@thc.org) @@ -471,3 +526,4 @@ zlGuZP1S6Y7S13ytiULSzTfUxJmyGYgNo+4ygh0i6Dudf9NLmV+i9aEIbLbd6bni zB3yrr+vYBT0uDWmxwPjiJs= =ytEf -----END PGP PUBLIC KEY BLOCK----- +``` \ No newline at end of file